Content uploaded by Kouroush Jenab
Author content
All content in this area was uploaded by Kouroush Jenab on Jul 12, 2016
Content may be subject to copyright.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Cyber Security Management: A Review
Kouroush Jenab1 and Saeid Moslehpour2
Abstract
This paper presents a review of selected literature on cyber security topics. A
wide range of topics is looked at that relate to cyber security. Several references
are provided.
Key words: Computer, Cyber,
Security, Attack
Available online
www.bmdynamics.com
ISSN: 2047-7031
INTRODUCTION
The online IT dictionary Techopedia defines cyber attacks as “…deliberate exploitation of computer
systems, technology-dependent enterprises and networks.” “Cyber attacks use malicious code to alter
computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to
cybercrimes, such as information and identity theft.” (Techopedia online dictionary, n.d.) Cyber attacks
are unleashed on corporations and personal computers every day.
In a green paper published by the Department of Commerce Internet Policy Task Force (2011), Secretary
of Commerce Gary Locke states that, “Protecting security of consumers, businesses and the Internet
infrastructure has never been more difficult. Cyber attacks on Internet commerce, vital business sectors
and government agencies have grown exponentially. Some estimates suggest that, in the first quarter of
this year, security experts were seeing almost 67,000 new malware threats on the Internet every day. This
means more than 45 new viruses, worms, spyware, and other threats were being created every minute –
more than double the number from January 2009. As these threats grow, security policy, technology and
procedures need to evolve even faster to stay ahead of the threats.” (Cybersecurity, innovation and the
internet economy, 2011). That was 2011; imagine what those numbers are today.
The world has been seemingly more and more dependent on the internet since it was introduced to the
masses in the early 1990’s. Businesses have created large network systems to share and manage data
about their products, vendors, and employees with other company locations around the world. These
same systems are used to market their products to consumers and sell them to these same consumers via
their company website or third party vendor. Over the last twenty years we have seen the general public
increase their ownership of electronic devices such as laptops, and personal computers at home to shop
online, pay bills online, manage personal information and to work remotely. They have also increased
their personal share of tablets, smart phones and other mobile devices to update their social media, stay
informed of events and to remain in frequent contact with family and friends.
This need to share information about the company’s products, manage company and employee data, the
need for people to stay connected, shop online, paying bills online has offered an opportunity to the
computer world’s bad guys, the hackers. Regardless of ability, the black hat hacker’s goal is to wreak
havoc upon a company’s business and your average internet user’s life by introducing malicious software
to their computer network or personal smart device. A few examples of black hat hacks are overloading
internet servers to impact access to business, hijacking websites to blemish reputations, and identity theft
for financial gain. These hacks introduce malware or phishing techniques to steal valuable information or
to somehow have a negative impact on targets image.
1 Faculty of College of Aeronautics, Embry-Riddle Aeronautical University, 600 S. Clyde Morris Blvd Daytona Beach, FL
32114-3900, USA
E-mail: kouroush.jenab@erau.edu
2 Faculty of College of Engineering, Technology, and Architecture, University of Hartford, Hartford, CT, USA
E-mail: moslehpou@hartford.edu
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
According to the Economist online publication:
Securing cyberspace is hard because the architecture of the internet was designed to promote
connectivity, not security. Its founders focused on getting it to work and did not worry much about
threats because the network was affiliated with America’s military. As hackers turned up, layers of
security, from antivirus programs to firewalls, were added to try to keep them at bay. Gartner, a research
firm, reckons that last year organizations around the globe spent $67 billion on information security.
On the whole, these defenses have worked reasonably well. For all the talk about the risk of a
“cyber 9/11” or a “cybergeddon”, the internet has proved remarkably resilient. Hundreds of millions of
people turn on their computers every day and bank online, shop at virtual stores, swap gossip and
photos with their friends on social networks and send all kinds of sensitive data over the web without ill
effect. Companies and governments are shifting ever more services online.
But the task is becoming harder. Cyber-security, which involves protecting both data and people,
is facing multiple threats, notably cybercrime and online industrial espionage, both of which are growing
rapidly. A recent estimate by the Centre for Strategic and International Studies (CSIS), a think-tank, puts
the annual global cost of digital crime and intellectual-property theft at $445 billion—a sum roughly
equivalent to the GDP of a smallish rich European country such as Austria” (“Defending the digital
frontier”, 2014).
Companies buy software and hire network security specialists to monitor the networks. All of these are
to assist in the detection and prevention of attacks on the networks. The average internet user on the
other hand can buy the security software and adhere to use preventive measures and practices to limit
attacks. Cybersecurity as defined by Techopedia is, “…preventative methods used to protect information
from being stolen, compromised or attacked.” “It requires an understanding of potential information
threats, such as viruses and other malicious code. Cyber security strategies include identity management,
risk management and incident management” (Techopedia online dictionary, n.d.). This paper aims to
review some of the available literature on the primary threats to cyber security and available tools used to
combat them. Table 1 lists the sources where most of the references used in this paper came from.
Table 1: Sources of Most of the References
Serial No.
Source
1
International Journal of Computer Science and Information Security
2
International Journal of Information Security
3
IET Communications
4
Secure List
5
Information Management and Computer Security
6
Journal of Computer Security
7
Linux Journal
8
Economic Times
9
International Journal of Information Security and Privacy
CYBER SECURITY
Cyber security is growing more and more as we are made aware of more and more threats. There are
several different types of cyber security issues, but for the purpose of this paper we will only cover a few.
Spyware is one of several sneaky approaches hackers can use to gain access to your network and personal
information. Spyware is software that collects information about a user without their knowledge.
Spyware, like most tools hackers use, can be used for harmless efforts such as collecting data to display
relevant advertising to your interests to collecting private information. Hackers can also use this software
to install other programs like keyloggers that can record your keystrokes and keep record of your history
and passwords. Some spyware even comes from “anti-spyware” companies that create malware to infect
your system and then offer a solution for a fee to remove it. Spyware infections are predominant. The
following graphs show the percentage of PCs estimated to have spyware/adware and percentage of PCs
lacking up to date protection. The pie chart shows the percentage breakdown of the threat level of
spyware, the most common being a minor threat. To protect your PC from spyware you should be careful
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
when downloading free software: run a search on the software for claims of being spyware, read the
license when installing.
Worms are another cyber security problem. Worms have similar characteristics to a virus and are self-
replicating. Some of the different types of worms that PC and mobile device users are vulnerable to are
email worms, instant messaging worms, internet worms, IRC worms, and File-sharing network worms.
Since the early 1980s the Internet community has understood the mechanics of viruses and worms, yet
the internet remains vulnerable to large scale worm outbreaks to this day. The 1988 Morris worm taught
the internet community to be diligent in watching for potential threats of dangerous worm and has led to
several sorts of security equipment being installed from antivirus software to intrusion detection systems.
As long as the virus writers keep improving and innovating their tactics the antivirus industry will
continue to work to catch up and outbreaks will continue to be a problem. These viruses and worms are
successful because of the security vulnerabilities that computers and devices have that can be exploited;
the internet is just a gateway for some of this activity.
60%
65%
70%
75%
80%
85%
PCs lacking up to
date protection
PCs with
spyware/adware
Survey of PCs
15%
25%
60%
SPYWARE Threat
level
Severe
Threat
Moderate
Threat
Minor
Threat
Threats by Type
Viruses
Mis. Trojans
Trojan downloaders
Misc. Potentially unwanted
software
Adware
Exploits
Worms
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Passwords are “secret” words or phrases used by many sites and organizations to identify users.
Passwords are unfortunately a large security threat because they are vulnerable to being broken or
guessed by a person or program. Passwords can also be transmitted over a network or stored insecurely
somewhere. A report from Global consulting firm Deloitte stated that more than 90% of user-generated
passwords will be vulnerable to hacking. More and more often major companies are announcing a hack
exposing information of patients and customers putting millions of people at risk for identity theft.
Passwords can be secure when users protect them and construct them to prevent brute-force attacks and
inspection or decryption of passwords. The human factor is the largest risk in almost all cyber security,
especially passwords. People particularly have a hard time remembering multiple complicated
passwords that they change frequently. Having multiple complicated passwords that change frequently
is to encourage hard-to-guess passwords. Sometimes humans can guess passwords, but there is also
software available to automate the guessing process of passwords and try millions possible combinations
per second. Back in 2012 a password cracking expert unveiled a computer cluster than can cycle through
as many as 350 billion guesses per second. This machine can try every possible Windows passcode in the
typical enterprise in less than six hours.
Computer viruses have a long history for both Windows and Apple products. Computer viruses are
malware programs that duplicate themselves by attaching copies of the program within other programs
on a computer system. These programs are inserted without the user’s consent. They may also be
replicated by attaching to data files or the boot sector of a hard drive. Computer viruses are often spread
by attachments in emails. They may also be spread through instant messaging. Viruses can be disguised
as attachments of video files, funny images, and fake charity sites. Once these viruses are downloaded
they perform unfavorable activity to the system. This includes retrieving private information, logging a
user’s keystrokes, pirating CPU space, sending unsolicited mail to the person’s contacts, or corrupting
files. These programs have caused financial problems the last two decades. The cyber thieves who insert
viruses have found several ways to extort money from personal and corporate devices.
A common form of malware virus will encrypt a computer file or crash your browser. Once the file is in
your computer, they may change your password. This will be followed up with a message demanding
money to unlock the password, or to retrieve locked files. This type of virus is also known as a trojan.
Trojan viruses are all over the internet today. Unlike most computer viruses, trojans do not replicate
themselves. They are offered as a program that will help a user get rid of computer viruses. Once
downloaded, trojans spread viruses to the system. Problems caused by trojans include: data sending,
denial of service, remote access to system, and disabling software security. These viruses invade privacy,
0% 50% 100%
Reused exact password
Reused with
capitalization
differences
Used unique passwords
Actual password reuse between two
breached web sites with plaintext
passwords
Actual password reuse
between two breached web
sites with plaintext
passwords
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
but may be hard to detect at first. Again, they appear to be a routine useful piece of software. They will
often cause the computer to be slow. Another common trojan may be spread through a popular screen
saver. Downloading the infected screen saver to the computer will install the trojan onto the computer. A
site may appear to offer a free download for a program, game, product or subscription that normally
costs money. Downloading this pirated version would make you think you are allowed access to it.
During installation this allows the trojan to gain access to your computer. You may receive an email that
appears to be from a friend who asks you to view a new program that they have been using or look at a
video or file. Opening the file will infect your computer with the trojan horse. Once interaction is made
with the trojan program, the computer’s network may be scanned by the hacker. This gives the hacker
control over the network.
Phishing is another common way for hackers to steal information through several avenues. Phishing is an
attempt to gather private information such as bank account info, usernames/passwords, and other
details. This is often done through email communication. The person sending an email appears to send a
trustworthy communication that deceives a victim by offering the user help or a deal that appears to be
legitimate. The email may contain a link to a fake website. The user gives personal information to the site.
Once this happens the hacker has control and may use the information to gain money, passwords, or
security codes. Sometimes these emails and websites contain malware or trojan viruses. Phishers
commonly target bank customers as well as online payment services. Hackers are using phishing as a tool
through social media. This is growing as social media outlets become more popular each day. Hackers
use fake identities to gain a user’s trust through the various social sites. The hacker is attempting to gain
personal information such as passwords, social security numbers, banking information through social
avenues. The damage caused by phishing can be costly. It may mean denial to email access, or deleted
files. It may cause a financial loss through online or banking fraud.
Combating all cyber security threats is an important task today. Many internet users have been victims to
security breaches. This can make you susceptible to losing money, or damaging credit. It is important to
continue to develop security measures to prevent data breaches. These breaches have caused a new
underground economy with hackers gaining access to banking information, or fraudulently purchasing
property and establishing lines of credit. This can also cause private personal information to be accessible
to the public. More must be done to attain intelligence of network and information security Identity theft
can cost you many hours of time by trying to correct damage to your credit. This can also cost a lot of
money by paying someone to delete the programs, viruses, and trojans off her your devices. Companies
all over the globe use resources to defend themselves against these attacks. Cybercrime is a global
phenomenon and continue to hinder efforts to successfully execute punishment against hackers. It is
important that efforts are made to coordinate streamlined methods to fight cybercrime. As these crimes
evolve, all user groups (private sector, military, and user groups) must continue to establish task forces to
combat these attacks. It is important for each user to recognize these criminal attempts by modifying
internet browsing. It is also important to not release any personal information if the site or email is
suspicious.
CLASSIFICATION OF LITERATURE
The topic of cyber security can be divided into many sub categories. The relatable topics of cyber security
are the types of attacks and ways of preventing attacks. Table 2 is a classification of literature according to
cyber security topics. Emphasis is given to the topics of network and information security, as well as
intrusion detection.
Table 2: Classification of Literature According to Topic
Serial No.
Topic
References
1
Trojans and backdoor attacks
[1, 8, 17, 31, 37, 55, 98, 107, 115]
2
Denial of service
[2, 11, 24, 27, 66, 80, 97, 125, 129,
130, 138]
3
Network security
[3, 9, 13, 16, 19, 38, 39, 45, 62, 82,
91, 99, 100, 108, 119, 135, 136, 140]
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
4
Information security
[4, 5, 7, 30, 44, 46, 47, 50, 52, 53,
58, 68, 75, 77, 78, 81, 84, 100, 104,
117, 123, 131]
5
Cybercrime
[16, 23, 34, 37, 38, 83, 84, 85, 90,
95, 105, 112, 113, 121, 123, 126]
6
Cloud security
[6, 26, 32, 65]
7
Intrusion detection
[34, 37, 39, 43, 51, 56, 64, 69, 73,
76, 81, 94, 96, 99, 114, 118, 119,
127, 137]
8
Spyware
[10, 15, 122]
9
Phishing
[12, 22, 33, 41, 59, 60, 63, 71, 111]
10
Viruses
[14, 18, 20, 21, 25, 29, 35, 36, 42,
48, 67, 72, 74, 106, 120, 124, 128,
132, 133]
11
Worms
[14, 28, 54, 89, 128]
12
Man-in-the-middle attacks
[70, 86, 88, 134, 135, 136, 139]
13
Passwords
[40, 49, 57, 61, 75, 79, 87, 92, 93,
101, 102, 103, 109, 116]
REVIEW OF LITERATURE
This section is a review of literature on the topic of cyber security. The literature is presented by topic.
Trojans and Backdoor Attacks
Abdulla and Ravikumar [1] looked at combating trojans and backdoor attacks. By use of time
fingerprints, trojans can be detected and traced through infected files. Desired properties in UNIX and
DOS have been verified.
Barker [8] explains that the Trojan backdoor Yebot is capable of implementing many negative actions on
an infected machine. It downloads and decrypts the Trojan and transfers control to it after sending a
request to the remote server. It will monitor and interfere with surfing, and is also capable of logging
keystrokes. Analysts show this as a multiple use malware being used as a banking Trojan.
Cloherty and Thomas [17] discuss a malware program that is a threat to U.S. national security. Sources
believe software sponsored by the Russian government is used to control oil and gas pipelines, as well
and water and filtration systems. The Department of Homeland Security states that a computer network
has been hacked as a threat, but the malware hasn’t been activated.
Kaspersky Labs’ Global Research and Analysis Team [31] discuss an international science conference in
Houston, TX 2009. The Trojan DoubleFantasy sends basic system information to the hackers. This allows
them to upload another malware to the victim’s machine.
Garnaeva et al [37] observe mobile banking Trojan statistics in 2014. Statistics show that USA is the top
country under attack. Russia leads in number of individual users attacked by bank malware. Mobile
banking Trojans increased nine times more in 2014 compared to 2013.
Kaspersky Labs’ Global Research and Analysis Team [55] observe the EquationDrug Trojan by the
Equation Group. This malware copies information remotely and customized attacks for each of its
victims.
Trojan horse viruses are still being distributed through unsolicited emails today. Pillai [98] describes this
malware as a cheap and easily distributed program that can take remote control of a computer. Cyber
criminals use this virus as a means to illegally transfer money to overseas account after they obtain
banking information from victims.
Russell [107] examines a report that the Japanese government being hacked by a Chinese Trojan horse
attack. This was discovered after a politician opened an email attachment. It is not clear what information
was compromised. Maj Gen Shaw, who heads up the British Ministry of Defence’s cyber programme, told
the Daily Telegraph that “the biggest threat to the country by cyber is not military, it is economic”. At this
point in 2011, Asia had a reported 117 government websites that had been hit by Trojan viruses.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Shaw [115] questions proposed legislation that would allow the government to regulate the internet. This
could limit internet use or allow extra fees to be charged for streaming services. The proposal to
micromanage the internet has a platform for security against malware.
Denial of Service
Aggarwal et al. [2] presented a technique for protecting dynamic mobile agents against denial of service
attacks. The procedure presented involves malicious hosts being located, and then they are excluded
from future paths. Mobile agents are beneficial because they reduce network latency and traffic, but their
introduction has also left networks more open to denial of service attacks.
Boteanu and Fernandez [11] looked at combating denial of service attacks on connection oriented
protocols. After first developing a mathematical model to analyze the tradeoff during attacks, several
preventative measures are offered using queue management strategies.
Dolev et al. [24] addressed distributed denial of service attacks in which traffic comes from multiple
sources on the internet in order to tie up a target’s resources. This type of attack can be combated by
allowing the target to control incoming traffic. Traffic of high importance is given precedence in order to
weed out potential denial of service attacks. Dolev et al. [24] argue that ISPs should allow customers
greater control in traffic shaping. References [97, 125, 129, and 138] also address distributed denial of
service attacks.
The use of active routers to combat denial of service attacks is discussed by El-Moussa et al. [27]. The
authors presented a network with distributed active routers that are integrated with cryptographic
algorithms, firewalls, and intrusion detection. The firewalls and intrusion detection can block malicious
traffic traveling through the network, while cryptography provides safe connections between users.
Furthermore, this active network approach can detect and block an attack close to it origin.
Li et al. [66] recognized that trust management in decentralized systems is vulnerable to attack. In trust
management systems, servers must evaluate credentials submitted by a client. Here, attackers can use the
delegation feature in this system to use up resources by forcing the server to perform long credential
verification procedures. By caching credentials in trust management systems, servers can speed up the
process of verifying credentials and denial of service attacks can be diminished. Reference [138] also
discusses trust management.
Min-Shiang et al. [80] looked to key agreement protocol to combat denial of service attacks. The Hiros-
Matsuura protocol is presented and found to have several weaknesses. Min-Shiang et al [80] propose an
enhanced version of the Hiros-Matsuura protocol in which key validation is strengthened and bandwidth
is increased.
Phatak et al. [97] introduced Spread Identity to combat distributed denial of service attacks. This dynamic
network addressing mechanism provides anonymity and enhanced denial of service protection during
internet connections. Filtering in this model successfully blocks attacks with limited impact on important
traffic.
Timcenko [125] explored denial of service attack in mobile ad-hoc networks (MANET). Timcenko argues
that MANETs are far more vulnerable to attacks that conventional networks due to their mobile nature.
An intrusion prevention system scheme is presented to combat distributed denial of service attacks.
Walfish et al. [129] offered a unique approach to defending against denial of service attacks. They look to
the using offensive means by using a system referred to as “speak up”. The idea is that as traffic becomes
congested, the server causes clients to send even more traffic to better represent the good clients. Bad
clients will not be able to keep up as they are already using too much upload bandwidth.
Wang et al. [130] discuss using client puzzle techniques as a countermeasure to denial of service attacks.
Two options are presented: puzzle auctions and congestion puzzles. Puzzles auction provide protection
between users and congestion puzzles provide control flow.
Yu et al. [138] looked at application layer distributed denial of service attacks. These requests are difficult
to distinguish from legitimate request in the network layer. By using four aspects of trust, an overall trust
can be computed and be used in order to determine whether or not to accept a client’s next request.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Network Security
Prevention of attacks on computers and the networks they reside on is a constant priority for businesses
and home users. Ahirwar et al. [3] discussed that human-related incidents are the cause of a large
number of security threats and that the constantly evolving developments in technology make it difficult
to keep up with new threats. They also discussed security solutions and provide possible resources to
assist users in staying current on security measures. Traditional techniques and approaches are not
enough to protect data and that improving security should start with the education of database specialist
was discussed by Blake [9]. Chaudhry et al. [13] identified four factors that impact the security of
networks in organizations: security policy documentation, access control, employee awareness, and top
level management support.
CISCO [16] reported that popular campaigns to execute email worms abuses the trust of email users’ by
delivering emails related to news trends or hot topics at the time so users’ do not question the receipt of
the email.
Command [19] states that if you work with or use a device that requires a CAC/ID card then be sure to
remove the card every time you leave your device.
Gil & Barabasi [38] state that despite substantial efforts, it has become all too common to hear a story in
the news of a large-scale data breach impacting consumers and putting their personal information at risk.
Goodall et al. [39] discussed the importance of network analysts having expertise knowledge in
networking, security and problem solving skills. They highlighted the learning process needed to attain
this knowledge. Guynes et al. [45] introduce two issues to the business network and transaction security
and that most systems are reactive when they should be proactive to avoid delays to addressing issues.
Kreitz [62] presented a flow stealing attack. Here, a victim’s browser is redirected while browsing. Flow
stealing can be used to obtain important financial information. Kreitz discussed policies that can be
adopted by browser vendor to combat these attacks, as well as methods that stores and payment
providers could adopt.
Mohammed et al. [82] analyzed the best policies and guidelines that should be implemented by
administrators to enhance the effectiveness and strength of the network. Papanikolaou et al. [91] study
the importance of teaching network security with a hands-on approach and the manner in which it is
taught such as using challenges and real world exercises.
Saeed et al. [108] consider the impact of user on network systems, and point out that internet connections
are the main source of threats on the network. They point out the importance of network users reading
and abiding by usage policies and being aware of the threats when accessing the internet.
Zuleita and Jorswieck [140] looked at signal leakage to eavesdropping users in multi-user wireless
networks. A proposed relay design improves worst-case signal secrecy performance.
Puzis et al. [99] addressed attacks on user’s anonymity on the internet. Through eavesdropping, attackers
may be able to obtain information such as IP addresses, list of web sites visited, and personal interests.
Puzis et al. demonstrate that attackers can obtain vital information through a collaborative attack on less
prominent nodes, even if the most prominent nodes cannot be eavesdropped.
Spark, Embleton, and Zou [119] presented a backdoor on a chipset level that allows intrusion into a
network. The chipset is the Intel 8255x. The backdoor allows sending and receiving of packets without
the need to disable security software.
Xia et al [135] proposed a physical layer key negotiation mechanism to secure wireless networks. This
mechanism can complement existing wireless network protocols to improve security.
Yang, Lou, and Yin [136] examined quantum key distribution (QKD). A new protocol is proposed that
expands on Hwang’s QKD protocol by strengthening its weakness of shared key encryption.
Information Security
The primary purpose of protecting computers and the networks is to prevent the unauthorized access of
the data and information on those computers. Ahmad et al. [4] report that organizations are in a
preventive mindset when it comes to information security measures. They discuss how organizations
expose themselves to unnecessary security risks in order to ensure continued access to services for their
users. Aleem et al. [5] present approaches to mitigating blended threats in the areas of physical security
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
and information security. They discuss possible combined solutions that would address both areas.
Astakhova [7] discusses the concept of information security in a way to address behavioral ethics issues.
He proposed that the solution to security issues lies within the human nature side instead of the technical
side. According to Enescu & Sperdea [30], with the rapidly growing technology that additional research
is conducted on all facets of security in use by organizations. They mention areas of interest such as
developments in the security industry, how security systems are managed, and the overall function of
security in the organization.
Gupta & Hammond [44] examine security issues in small businesses; they discover that while most have
systems and procedures in place to address threats they feel that most are ineffective. Hagen et al. [46]
study information security procedures and their effectiveness. Their study indicated that in order to have
effective security measures that they be used in combination in a staircase concept with a strong
foundation. Hamid et al. [47] highlight the difficulty of obtaining approval for purchasing system
security resources for a threat event that may or may not occur. They also highlighted the need for a
reliable security network in order to protect information and computer systems. The team subsequently
mentions that when the organization is running optimally then that positive momentum leads to a
productive and successful network security team. Hong et al. [50] offers their perspective on enterprise
security strategies to assist management teams in decisions concerning securing their information and
networks.
Hussein et al. [52] discuss information threats that occur from within the organization by authorized
users and the processes they execute. They demonstrate that only a few security resources are able to
defend against information leakage and that encryption of data is a critical measure that needs to be
implemented. Ifinedo [53] covers how specific cultural aspects impact decisions on security threats and
the resources that control them. Understanding these different aspects would assist in determining the
best approach in creating and maintaining security measures. Keller et al. [58] indicate that even though
many small businesses are taking the proper steps to protect information there still areas that can be
overlooked leaving them vulnerable to attacks. The team goes on the write that even though these small
businesses do not have the budget as many of the larger companies they are avoiding issues and keeping
up with the current standards. In their conclusion they point out that internal employees pose the largest
threat to information and network security. Mlitwa & Birch [81] investigate how effective intrusion
detection systems are when protecting information on networks. They conclude that combining all
security resources in a continuous manner improves overall security results. A paper by Raiwani [100]
discusses the challenges associated with buying and selling products online. Businesses have access to
resources to keep them up to date on security measures while consumers typically do not have that kind
of critical access to help keep their information safe. Mehta & Manhas [77] examine banking on-line and
impacts to the information being shared by the banking network and the customer. They investigate
parameters such as how the size of the company has a relationship to the amount of their budgets applied
to security resources and how being a public versus private impacts performance.
Liu et al. [68] study the management of medical information and the strategies to prevent security events.
They explain how to best protect medical information in today’s highly evolving tech environment.
Medlin et al. [75] discuss social engineering as a main threat to securing medical information. They
explain how hackers use social engineering to obtain information from employees to allow them access to
the hospital network. According to Mensch & Wilkie [78], college student’s awareness of information
technology security issues continues to be lacking. They offer solutions towards education awareness
and best practices to keep their information secure.
Ransbotham & Mitra [104] explain the concept of Choice and Chance attacks on networks. The Choice
method being a deliberate attack based on attractiveness and size of presence. The Chance method is an
attack that is based on opportunities typically using information gathering techniques. Smith [117]
describes how easily computer system may be accessed by unauthorized internal personnel and by
hackers but provides suggestions on how to prevent intrusions.
Nakashima [84] mentions that just this year, 2015, “President Obama has signed an executive order
establishing sanctions for a program to allow the administration to impose penalties on individuals
overseas who engage in destructive attacks,” that has been in the work for over two years.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Taylor [123] discusses a series of highly publicized breaches in U.S. health care organizations have led to
several settlements and a heightened awareness by the general public of how important it is to protect
their personal information. According to Warkentin & Willison [131] great harm to company information
and their security network comes from users within the company as they have direct access to the system.
Cybercrime
Economic Times [23] published an article reporting cybercriminals by emailing links using Barack
Obama’s 2008 election win as a Trojan horse file to obtain personal information.
Naughton [85] argues that cybercrime is receives low priority attention from authorities due to low
resources and lack of technical knowledge.
Paganini [90] discusses the Trojan horse Aurora that attacked several western companies in 2009.
Sujit [121] discusses cybercriminals increasing volumes of malware viruses year over year from 2006-
2009. These programs are being used to find passwords for bank and email accounts as well as credit card
information.
Paulson [95] covers cyber security after 9-11 interviewing IT professionals on concerns of the slow
response to security threats and solutions to the issues they see as unchanged.
Cloud Security
Fernandes et al. [32] discusses the trend of movement to the advantageous cloud computing
environments and the security concerns that have to be addressed with this new environment.
Alzain et al. [6] presented a model for cloud computing. It is suggested that a secret sharing algorithm
with multiple clouds can be used in order to ensure data integrity and to reduce security risks. Alzain et
al. [6] compare this model to Amazon’s cloud service and find many benefits over a single cloud model.
Du et al. [26] proposed a security mechanism based on virtualization. The mechanism analyzes system
calls in process and calculates deviation. The model is lightweight and scalable as to provide more
universal appeal.
Lee et al. [65] introduced a cloud based testbed for collecting malicious data instead of a typical network
testbed. By testing spread of harmful code in a cloud based system, savings can be achieved in both time
and cost.
Intrusion Detection
Green et al. [43] reviewed data obtained from active intrusion prevention (AIP) systems in order to
enhance network security. Green et al. used the AIP findings and suggested that a strict firewall should
be in place for local attacks. Furthermore, computers should be shut down during times when not in use
in order to decrease the chance of attack as most attackers are more active at night.
Huang [51] researched distributed intrusion detection technology. Huang combines agent models and
peer to peer models of intrusion technology to develop his system APDIDS, agent based P2P distributed
intrusion detection system. This model alleviates some of the most severe problems that traditional
intrusion detection systems have, such as high bandwidth and poor scalability.
Jan et al. [56] demonstrated security weaknesses found in wireless network systems. Monitoring users
already connected to a network can help protect against attacks, while verification and authentication can
ensure eligible users are only permitted to access networks.
Kruse et al [64] introduced a stacking approach for improving intrusion detection accuracy. Accuracy of
detectors is improved by use of stacked decision trees that raise scores in case of a true attack. This
approach helps to reduce false alarms.
Makanju et al [73] explored problem with evaluating the robustness of machine learning based detectors
used in intrusion systems. The training data presented in the learning algorithms determines how robust
the detector can be. Through use of previous data, machine learning detectors can better detect a variety
of attacks. Cross-attack robustness means that machines can detect attacks that are similar to attacks they
are already trained for.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Patel, Qassim, and Wills [94] presented a survey on the comprehensive state of intrusion detection and
protection systems. These systems should use a combination of techniques to assist them in determining
actual intrusion from normal activity.
Puzis et al [99] studied effectiveness of attacking anonymity through collaborating eavesdroppers.
Central nodes on the internet are well protected from eavesdropping. However, by use of eavesdropping
on several smaller nodes it is possible to compromise anonymity of a user. Future research calls for
analysis where nodes have anonymity services as well as eavesdropping protection.
Sharma [114] looked at intrusion in wireless local area networks (wireless LANs). Most anybody can gain
access to wireless LANs, making it hard to pinpoint intruders. In open networks, any mobile device is
open to join. In closed networks, intruders can usually crack service set identifiers by simple means.
Sharma lists several ways intrusion can be detected when in infrastructure mode.
Sodiya et al. [118] provided insight into developing a more effective intrusion detection system. By
combining data mining and expert systems, detection is more effective and false alarms are reduced.
Periodic profiling ensures user activity is always up to date.
Sparks, Embleton, and Zou [119] presented findings about intrusion through a chipset level network
backdoor. The backdoor has the ability to send and receive packets in secret. The backdoor also can
bypass virtually all firewalls and intrusion detection software. Limitation of this study was
implementation of a specific chipset and hardware. If support could be extended to other chipsets,
however, it is apparent that the threat could increase.
Viera et al. [127] examined intrusion detection in grid and cloud computing environments. Intrusion
detection in cloud computing is especially difficult to detect because attacks do not leave traces in a
node’s operating system where the detection system hides. The system proposed by Viera et al. is
designed to cover attacks that are unable to be detected by network and host based intrusion detection
systems. The system also has low processing cost with satisfactory performance.
Yasinsac [137] described a method to detect intrusion in security protocol environments. Classic intrusion
detection considers activities against object. Yasinsac’s method differs by addressing behavior relative to
protocol activation.
Liu & Cheng [69] analyze the attack patterns, trends and challenges with cyber security. They conclude
that organizations must use enhanced intrusion detection devices as well as know the weaknesses and
strengths of their own security to be successful at combating threats.
Meharouech et al. [76] discuss the purpose and limitations of Intrusion Detection Devices (IDS) and
proposes the need to manage alerts and analyze information as it becomes available.
Pfleeger [96] studies an intrusion on a large company and based on the results shares how to possibly
recognize attacks early, best response options and prevention of future threats.
Spyware
Spyware is software available to attackers that gathers information about users without their knowledge
or conscious permission. Some forms of this software are considered harmless because its purpose is to
track your activities in order to find and display relevant ads to users’ needs. Other types of spyware that
can take control of your system are much more difficult to deal with. A similar software known as
ransomware will seize the control of user’s data and then demand a ransom to get control of their
information back, these type of attacks soared 113% in 2014 [133, 113]. Spyware threats can multiply
dramatically on computers with shared users. Spyware is more often downloaded onto a user’s device
via free software downloads. Spyware is sometimes masked as other software to fool the user into
downloading [10]. When harmful software infects a system it gathers details and information about the
device and the user. The information the software collects transmits it back to attackers for attacker’s
review [122]. The threat of spyware and malicious attacks are not limited to attackers in the United States.
In 2006 it was discovered that China had double the Web sites hosting spyware as the U.S. [15]. Just this
year, 2015, “President Obama has signed an executive order establishing sanctions for a program to allow
the administration to impose penalties on individuals overseas who engage in destructive attacks,” that
has been in the work for over two years [84].
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Phishing
Chapman [12] examines spear phishing. A traditional phisher may send mass emails. A spear phisher
will target a business or organization by learning all available information about the company or group.
They will often target an administrator of the company. They will make an attempt to communicate with
the administrator to build trust, then will send a link or email that directs them to a malware site or
downloads a file to their system. This allows the phisher access to the group’s network. Combating spear
phishing involves a three-pronged defense: email filtering, organization-wide training, and network
monitoring.
Constantin [22] writes about a reported a phishing attack against Microsoft Office 365 Outlook Web App
users. This was done to gain access to emails with spear-phishing techniques. The group attacks using
two fake domains that would be familiar to the victims. The attackers would then construct phishing
emails that would attract the victims such as well-known events or conferences.
Ferrara [33] comments that phishing attacks are ahead of the technology and training that defends against
it. Payment services make up 47% of phishing attacks. This causes a long-term risk to the economy. Many
of the attacks are successful due to victims oversharing private information. It is important for
management teams to educate employees to how to recognize and avoid phishing attacks.
Cyber criminals make diligent efforts to utilize seasonality topics for financial gain. Goretsky [41] covers
two cyber Monday phishing emails from 2014. These emails were disguising to be The Home Depot or
Costco online order receipts. They were used to obtain personal data such as credit card numbers.
King [59] reports manufacturing and mining industries are at high risk for spear-phishing scams. One in
three organizations in these sectors was subjected to at least one targeted spear-phishing attack.
Korolov [60] discusses phishing email scams during the holiday season using shopping sites such as
Amazon and EBay as disguises. This email campaign uses fake online order receipts and attachments
used to obtain login information. The hacker changes information and accesses the information within 30
minutes of obtaining the information.
Kruck [63] advises email spoofing is a form of phishing that makes it appear that the email originated
from someone or somewhere other than yourself. Email spoofing is intended to obtain personal
information about the victim without them ever knowing. One defense against spoofing emails is to
install and update virus scanning software.
Luo [71] proposes the new two-factor interlock authentication protocol will give successful defense
against phishing attacks. A series of hacking scenarios show that this protocol can withstand standard
phishing strategies.
Schupak [111] explains that phishing is a numbers game. The Target and Anthem data breaches released
tens of millions of email addresses earlier this year. This breach also gave the phish attackers access to the
names associated with each email to make the disguised emails look more legitimate.
Kruck & Kruck [63] evaluated the increasing threat of phishing on businesses, educational, and
individuals. They offer methods to protect users and make recommendations for future reference.
Luo & Guan [71] propose a new authentication protocol to defend against phishing attacks. Their paper
shows how attack simulations are defeated by the use of the protocol.
Viruses
Chen [14] explains the evolution of computer viruses. From the beginning they were used to reproduce
by attaching to a normal computer program to corrupt the other programs after controlling the first
program. They have grown in sophistication over the years by continuing to hide their existence and use
social engineering to spread the attack.
Cole [18] features an article about a computer virus that targets the top 1% wealthy in the U.S. and Asia.
This can be executed from waiting on the victim to check in through a hotel WiFi network to steal data.
UPS data was compromised and exposed by a computer virus in 2014. The Associated Press 2014 [20]
reported 51 stores in 24 states were breached by a virus that gained access to postal and email addresses
as well as credit card numbers from over 100,000 transactions. Identity protection and credit monitoring
were provided by UPS to affected customers.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Dowling [25] presents virus attacks under the categories of resident and non-resident. Resident viruses
install themselves in an operating system while a non-resident looks for a victim, attaches the infection,
and then exits the system.
Times Colonist 2015 [29] reported a computer virus that was presented to a company as a resume. The
file was presented to a District of Saanich employee and spread to many company computers. Their
information technology staff controlled the virus with a backup file system.
Technology 2015 [36] published an article about a virus that targeted gamers. This virus was a form of
ransomware. It would encrypt in the computer system. Once attached the hacker would stop the victim
from playing the game. They would only offer to reveal a code to unlock the game only if the victim
would pay at least $500 in Bitcoins or $1000 in PayPal My Cash payment cards.video
Gray [42] reports a malware virus used to steal money during tax season. Hackers use an attachment that
claims to contain information about the victim’s tax return. Once it is opened it is used to control different
parts of the PC and may also record video and sound if a webcam is attached to the computer.
Heisler [48] explains the first computer virus created. Elk Cloner was the first Apple virus to be
developed in 1981. It was used to exploit security flaws. Brain was the second virus and it was developed
in 1986. Its purpose was to track and punish anyone who may attempt to steal their medical software.
Computer Business Review ranked 10 of the worst computer virus outbreaks. Lima [67] writes about
various virus programs that have cost billions of dollars in damage. MyDoom is a virus that attached
itself to a Windows system folder as a Trojan and infected one in every 41 email messages. The hacker
who created the virus was never found.
Lyne [72] contributes an article about malware who holds the victim’s files as ransom. These types of
programs cause data to be inaccessible in attempt to get the victim to pay them to regain control. It is
important to have an up to date security system and backup strategy in place to combat this time of
attack.
McLaughlin [74] exams a scam that took place in Portland, ME. The scam is used to target the elderly
claiming to fix a virus on the victim’s computer. They use this to obtain the person’s personal financial
information as well as computer passwords.
Roeder [106] discusses Air Force Academy ongoing research attempting to stop computer viruses. They
are developing a program that will scan for malware and has compared over 4.5 million examples of
viruses to help combat against newly emerging attacks.
The Associated Press 2015 [120] reports Suffolk County NY successfully contained a virus that affected
thousands of government computers. The virus was used to send bogus messages. The technology
department installed an update to prevent reinfection from this virus.
A correspondent for Mid Day.com [124] explains 10 of the most notable computer viruses. This included
the Michelangelo that was programmed to activate on March 6 of every year. This caused between
10,000-20,000 different cases of data being lost. Flame is a modular malware used to gain access through
Microsoft Windows operating systems. This versatile virus can use computers as beacons by
downloading through local Bluetooth connections and through Skype conversations.
Waugh [132] examined a virus that disguised itself with fake online bank statements. The Crimeware
virus would steal passwords from your internet browser. The hackers used the program to obtain debit
card numbers. The numbers would be adjusted once you visited the site so the victim wouldn’t recognize
the theft.
Schreiber [110] reports that police in Auburn, NH are investigating an email virus that made its way
through the local government and school system.
Worms
Worms are malicious programs that are self-replicating on computers and/or computer networks
without the user’s knowledge. When a malicious program is capable of spreading via network or
remotely and self-replicates it is classified as a worm [128]. Some words spread as network packets,
directly penetrating computer memory and activating the worm code. Worms are also spread as file
attachments in emails, links sent via instant messaging, and peer-to-peer (P2P) networks.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Email worms send a copy of itself as attachments in email messages or a link to a network resource. The
worm code activates when the infected attachment is launched or the link is opened. These worms use a
variety of different sources to find email addresses to target with the infected files such as address books
in Microsoft Outlook, a WAB address database, emails in a hacked email inbox. To increase chances of
infecting machines and networks most email-worms will use more than one of these sources [28].
Popular campaigns to execute email worms abuse the trust of email users’ by delivering emails related to
news trends or hot topics at the time so users’ do not question the receipt of the email [16].
Instant message worms spread through instant messaging systems by sending a link to message contacts.
Once someone clicks the link and opens the file the worm is activated and replicates [54]. P2P worms
spread via peer-to-peer file sharing networks. To get access the worm simply has to copy itself to the file
sharing directory, usually on a local machine.
Once the worm is copied to the P2P network it informs users of the file and provides access for users to
download the file from the infected computer, thus infecting the user’s computer [89].
As technology improves and capabilities of users and attackers improve a more worrisome trend in
worms are extremely fast worms targeted to specific vulnerabilities to saturate a target population within
hours [14].
Users can take steps to protect their devices from intrusion by keeping their firewall turned on, to try to
deter hackers who may want to intrude and gain access to information [34].
Installing updated Antivirus software designed to prevent malicious programs from infecting devices
and keep the device operating system up to date. Operating systems are updated to stay fix bugs and
security holes. Another way to protect devices is to be careful and aware of what users are downloading.
Do not open an email attachment in an unexpected email [34].
If you work or use a device that requires a CAC/ID card, be sure to remove the card every time you leave
your device [19].
Users should also be aware that the current frontier in cyber security involves social media accounts and
information that users are making public without considering risks involved [83].
Man-in-the-Middle attacks
Luettmann and Bender [70] looked at the security vulnerabilities in auto-updating software. Automatic
updates were introduced to ensure that user software remained current. However, having no standard
for a protocol makes this an area that could be exploited. Luettmann and Bender present two man in the
middle attacks against HTTP downloads and proceed to demonstrate how the attacks are used against
auto updating software.
Nor et al. [86] looked at man-in-the-browser attacks, a type of man-in-the-middle attack which targets
information flow between a client and server. The lack of security on the client side can is responsible for
the vulnerability. This type of attack lends concern to online banking applications. A proposed enhanced
remote authentication protocol with hardware based attestation can effectively deter attacks and preserve
privacy.
Wu et al. [134] looked at man-in-the-middle attacks in wireless LANs. Wireless LANs have increased in
use but are far more susceptible to MitM attacks. Wu et al propose a dynamic password technology to
overcome this susceptibility. Demands for security will need to be met as wireless LANs become more
popular.
Xia et al [135] also looked at MitM attacks in wireless LANs. A physical layer key negotiation method is
proposed. In this mechanism, the wireless networks can quickly exchange keys and establish the security
protocol. It also increases resistance to eavesdropping and brute force attacks.
Yang, Lou, and Yin [136] examined quantum key distribution (QKD) and proposed a new key expansion
scheme. Yang et al. showed that Hwang’s QKD protocols is weak in its encrypting of the shared key. The
proposed model can prevent the attack by encrypting the key into a sequence of unitary operators.
Reference [139] also looks at QKD.
Zhang, Wang, and Tang [139] looked at fake-state attacks. Typical fake-state attacks are combated by
installation of a watchdog. The presented attack scheme, however, is hard to detect. The scheme shows
quantum cryptography needs more research to ensure protection.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
Passwords
Medlin et al. [75] study social engineering attacks on hospitals to gain access to medical information on
the hospital networks. The results showed that 73% of the employees tested shared their password
proving that hospitals need additional training on security awareness.
A password is a secret word or phrase that is used to prove identity before granting access to particular
resources. In the digital age passwords are a string of characters used in combination with a unique
username to gain access on different devices such as computer systems, mobile devices, gaming consoles,
etc. Passwords are in place for security purposes, to protect personal and proprietary information, but
every password is at risk for a security breach [116].
Krebs [61] explains that a strong password can go a long way in protecting your information from
hackers. In 2005 identity-related attacks in the US totaled more than 56.6 billion dollars and should serve
as a picture of why creating strong passwords to protect your information is vital [126].
Users should use a combination of words, characters, numbers, upper-case letters, and lower-case letters
to create unique passwords. Users should avoid using passwords that are simple or words in the
dictionary. There are several password-cracking tools available to the general public that will try
thousands of common names and passwords to crack passwords. It is also good practice to avoid using
obvious keyboard combinations like “qwerty” or “123456.” A strong password can be created by using a
collection of words that form a phrase or sentence while incorporating the use of characters and numbers
previously mentioned. Users should go a step further in lessening their vulnerability by avoiding using
the same password for multiple log-ins or sites. Users should avoid using their email password for any
other account. Users may also find added protection in using a third-party program that can help
safeguard passwords.
Scherzer [109] goes on to explore the sufficient length of a password to ensure the most protection against
attackers. The longer and more complicated the combination of characters for a user’s password the
longer it takes software to crack it. With the rise of security breaches via password hacks the security
community has explored the necessity of passwords and consequences of eliminating them.
Most professionals believe passwords are here to stay, but MicroStrategy has released a cyber security
product, Usher Mobile, allowing employees to identify themselves and enter secure spaces via their
smartphones, eliminating the need for traditional forms of identification, including passwords [57].
It is also very important for users to avoid storing passwords unless absolutely necessary and users must
store passwords that they are stored securely [87]. The human factor in creating and storing passwords
assures us that there will always be vulnerability’s in this area of cyber security. When people have
trouble remembering passwords they will typically write them down, forget them and require frequent
assistance, use very simple passwords or reuse old passwords [49, 105].
Despite substantial efforts, it has become all too common to hear a story in the news of a large-scale data
breach impacting consumers and putting their personal information at risk [38].
Targeted attacks are becoming an established part of the cyber security threat landscape [37]. A series of
highly publicized breaches in U.S. health care organizations have led to several settlements and a
heightened awareness by the general public of how important it is to protect their personal information
[123].
In addition to high profile health care breaches, back in 2011 attackers stole 90,000 pairs of emails and
passwords from military contractor Booz Allen Hamilton among many other large-scale attacks, this
gives hackers direct access to very sensitive information [75].
In 2012 hackers stole 6.5 million passwords from the professional networking website, LinkedIn. In 2013
attackers were able to obtain account information from 2.9 million Adobe users. While these are only a
few examples from a few years, there are several attacks happening every year, some that make it into the
news and some that do not. Attackers are using more advanced tools and sometimes it seems that
humans cannot protect themselves enough. Tools such as GPUs are being used more than CPUs because
their capability to crack passwords is much faster than CPUs [102].
GPU computing is contributing to mostly offline password cracking, because online sites typically have a
limited amount of attempts to login before the account is locked. In 2012 a GPU cluster was revealed that
could crack every standard Windows password in less than 6 hours [40]. This machine was the first to use
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
a package of virtualization software on a five-server system and allow the servers to function as if they
are all running on a single computer, making the process four times faster than before.
Password hashes were created for storing users passwords. This one-way hash encrypts passwords since
they are not stored in plain text so the system that a user is logging into has something to match it to.
Rankin [102] shares that the idea behind the one-way hash is that a user’s password can easily be
converted to a hash, but not easily be converted from a hash back to a password. Essentially an attacker
must know the users hash to crack the password. There are several software options available that
perform one of two main attacks: dictionary and brute-force attacks [103].
To perform a dictionary attack the attacker provides the cracking software with a dictionary full of
possible passwords to try. In executing a brute-force attack the software iterates through all possible
combinations for a password of a specified length [101].
Several password studies have been conducted over the last few years in reference to how often users
changed their passwords, the strength of the passwords changed, how many passwords are maintained,
etc. In 2014 statista was interested in comparing Millennial password practices to Generation X password
practices. They found that 19% of Millennials in the U.S. change their online password once a month and
only 13% of Generation X change their online passwords once a month [79].
A 2012 study of Sony and Yahoo! Passwords found that 59% of the users compared in the 2012 Yahoo!
Voices password database breach and 2011 SonyPictures.com password data breach reused the exact
same password. Two percent of the users reused the same password with capitalization differences and
only 39% of users used unique passwords [92].
A study conducted in 2012 sought to answer how many passwords online adults maintain. The study
found that 58% of online adults maintain five or more unique passwords, 30% maintain ten or more
unique passwords and 8% maintain a whopping twenty-one or more unique passwords [93]. Users will
have to continue to be aware of fundamental technology for security and privacy on the Internet and
apply this information to steps like creating passwords [88].
REFERENCES
[1] Abdulla, M. F., & Ravikumar, C. P. (2004). A self‐checking signature scheme for checking
backdoor security attacks in Internet. Journal Of High Speed Networks, 13(4), 309-317.
[2] Aggarwal, M., Nipur, & Pallavi. (2010). Protecting Dynamic Mobile Agent against Denial of
Service Attacks. AIP Conference Proceedings, 1324(1), 316-318. doi:10.1063/1.3526222
[3] Ahirwar, D., Ahirwar, M. K., Shukla, P. K., & Richharia, P., (2011). An analytical survey on
network security enhancement services. International Journal of Computer Science and Information
Security, 9(3), 259-262.
[4] Ahmad, A., Maynard, S. B., & Park, S., (2014). Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intellectual Manufacturing, 25, 357–370.
doi:10.1007/s10845-012-0683-0
[5] Aleem, A., Wakefield, A., & Button, M., (2013). Addressing the weakest link: Implementing
converged security. Security Journal Vol., 26(3), 236–248.
[6] Alzain, M. A., Soh, B., & Pardede, E. (2012). A new model to ensure security in cloud computing
services. Journal of Service Science Research, 4(1), 49-70. doi:http://0-
dx.doi.org.athens.iii.com/10.1007/s12927-012-0002-5
[7] Astakhova, L. V., (2014). The concept of the information security culture. Scientific and Technical
Information Processing, 41(1), 22–28.
[8] Barker, I. (2015, March 22). Multi-purpose backdoor Trojan threatens Windows systems.
Retrieved April 3, 2015, from http://betanews.com/2015/03/24/multi-purpose-backdoor-trojan-
threatens-windows-systems/
[9] Blake, E. A., Network and database security: Regulatory compliance, network, and database
security – A unified process and goal. Journal of Digital Forensics, Security and Law, 2(4), 77-106.
[10] Bloch, M. (n.d.). Spyware - definitions, statistics, prevention and removal. Retrieved April 4, 2015,
from http://www.tamingthebeast.net/articles6/spyware.htm
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[11] Boteanu, D., & Fernandez, J. M. (2013). A comprehensive study of queue management as a DoS
counter-measure. International Journal Of Information Security, 12(5), 347-382. doi:10.1007/s10207-
013-0197-6
[12] Chapman, T. (2015, March 27). Spear-Phishing Could Enable Cyberterrorism Attacks Against
The U.S. Retrieved April 5, 2015, from http://techcrunch.com/2015/03/27/spear-phishing-
could-enable-cyberterrorism-attacks-against-the-u-
s/?utm_content=13578937&utm_medium=social&utm_source=twitter
[13] Chaudhry, P. E., Chaudhry, S., & Reese R., (2012). Developing a model for enterprise information
systems security. Economics, Management, and Financial Markets, 7(4), 587–599.
[14] Chen, T. (n.d.). Trends in Viruses and Worms - The Internet Protocol Journal - Volume 6, Number
3. Retrieved April 4, 2015, from
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/virus_trends.html
[15] China gets the spyware crown. (2006, May 11). Retrieved April 2, 2015, from
http://articles.economictimes.indiatimes.com/2006-05-11/news/27445150_1_spyware-adware-
trojan-horse
[16] Cisco 2014 Annual Security Report. (n.d.). Retrieved April 4, 2015, from
http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
[17] Cloherty, J., & Thomas, P. (2014, November 6). 'Trojan Horse' Bug Lurking in Vital US Computers
Since 2011. Retrieved April 3, 2015, from http://abcnews.go.com/US/trojan-horse-bug-lurking-
vital-us-computers-2011/story?id=26737476
[18] Cole, M. (2014, November 19). The computer virus that targets the 1 percent. Retrieved April 3,
2015, from http://theweek.com/articles/442134/computer-virus-that-targets-1-percent
[19] Command Cyber Readiness Inspection coming Jan. 26. (2015, January 7). Retrieved April 5, 2015 ,
from http://www.edwards.af.mil/news/story.asp?id=123435688
[20] Computer virus caused data breach at UPS stores in 24 states. (2014, August 20). Retrieved
April 3, 2015, from http://www.wusa9.com/story/news/nation/2014/08/20/computer-virus-
caused-data-breach-at-ups-stores-in-24-states/14370123/
[21] Computer Virus Statistics. (n.d.). Retrieved April 3, 2015, from
http://www.statisticbrain.com/computer-virus-statistics/
[22] Constantin, L. (2014, October 24). Sophisticated phishing attacks launched against Outlook Web
App users. Retrieved April 2, 2015, from
http://www.pcworld.com/article/2838652/cyberespionage-group-launches-sophisticated-
phishing-attacks-against-outlook-web-app-users.html
Cyberattack(n.d.). Retrieved April 2, 2015, from
http://www.techopedia.com/definition/24748/cyberattack
[23] Cybercriminals exploit Obama's victory. (2008, November 6). Retrieved April 5, 2015, from
http://articles.economictimes.indiatimes.com/2008-11-06/news/28451370_1_cybercriminals-
link-trojan-horse
Cybersecurity (n.d.). Retrieved April 2, 2015, from
http://www.techopedia.com/definition/24747/cybersecurity
Defending the digital frontier. (n.d.). (2014, July 12). Retrieved April, 2, 2015, from
http://www.economist.com/news/special-report/21606416-companies-markets-and-countries-are-
increasingly-under-attack-cyber-criminals
[24] Dolev, S., Elovici, Y., Kesselman, A., Zilberman, P., & Kakugawa, H. (2011). Trawling traffic
under attack overcoming DDoS attacks by target-controlled traffic filtering. International Journal
Of Foundations Of Computer Science, 22(5), 1073-1098.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[25] Dowling, B. (2015, February 17). Dowling: The computer virus then and now. Retrieved April 3,
2015, from http://www.tallahassee.com/story/money/2015/02/17/dowling-computer-virus-
now/23576459/
[26] Du, Y., Zhang, R., & Li, M. (2013). Research on a security mechanism for cloud computing based
on virtualization. Telecommunication Systems, 53(1), 19-24. doi:http://0-
dx.doi.org.athens.iii.com/10.1007/s11235-013-9672-7
[27] El-Moussa, F. A., Linge, N., & Hope, M. (2007). Active router approach to defeating denial-of-
service attacks in networks. IET Communications, 1(1), 55-63. doi:10.1049/iet-com:20050441
[28] Email-Worm. (n.d.). Retrieved April 2, 2015, from https://securelist.com/threats/email-worm/
[29] Encrypting computer virus briefly hobbles Saanich. (2015, March 12). Retrieved April 3, 2015,
from http://www.timescolonist.com/news/local/encrypting-computer-virus-briefly-hobbles-
saanich-1.1791285
[30] Enescu, M., & Sperdea N. M., (2011). The specifics of security management: The functions of
information security required by organizations. Economics, Management, and Financial Markets,
6(2), 200–205.
[31] Equation Group: From Houston with love. (2015, February 19). Retrieved April 5, 2015, from
http://securelist.com/blog/research/68877/equation-group-from-houston-with-love/
[32] Fernandes, D. A. B., Soares, L. F. B., Gomes, J. V., Freire, M. M., & Inacio, P. R. M., (2014). Security
issues in cloud environments: a survey. International Journal Of Information Security, 13, 113-170.
doi:10.1007/s10207-013-0208-7
[33] Ferrara, J. (2014, September 3). Phishing Scams at All-Time High, Employee Training Not
Keeping Pace - Wall Street & Technology. Retrieved April 3, 2015, from
http://www.wallstreetandtech.com/security/phishing-scams-at-all-time-high-employee-
training-not-keeping-pace/a/d-id/1306866
[34] Foxworth, D. (2014, October 3). Retrieved April 3, 2015, from
http://www.fbi.gov/sandiego/press-releases/2014/national-cyber-security-awareness-month
[35] Frank, P. (2014, August 4). The Nastiest Computer Viruses, Transformed Into Trippy Artworks.
Retrieved April 3, 2015, from http://www.huffingtonpost.com/2014/08/04/computer-virus-
art_n_5628710.html
[36] Gamers targeted by ransomware virus. (2015, March 13). Retrieved April 3, 2015, from
http://www.bbc.com/news/technology-31869589
[37] Garnaeva, M., Chebyshev, V., Makrushin, D., Unuchek, R., & Ivanov, A. (n.d.). KSB 2014. Overall
statistics for 2014. Retrieved April 4, 2015, from http://securelist.com/analysis/kaspersky-
security-bulletin/68010/kaspersky-security-bulletin-2014-overall-statistics-for-2014/
[38] Gil, S., Kott, A., & Barabasi, A. (2014, July 16). A genetic epidemiology approach to cyber-
security. Retrieved April 5, 2015, from
http://www.nature.com/srep/2014/140711/srep05659/full/srep05659.html
[39] Goodall, J. R., Lutters, W. G., & Komlodi, A., (2009). Developing expertise for network intrusion
detection. Information Technology & People. 22(2), 92-108. doi: 10.1108/09593840910962186
[40] Goodin, D. (2012, December 9). 25-GPU cluster cracks every standard Windows password in.
Retrieved April 5, 2015, from http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-
every-standard-windows-password-in-6-hours/
[41] Goretsky, A. (2014, November 30). Cyber Monday: Costco and Home Depot phishing emails
target shoppers. Retrieved April 2, 2015, from
http://www.welivesecurity.com/2014/11/30/costco-home-depot-phishing-emails-target-cyber-
monday-shoppers/
[42] Gray, R. (2015, April 2). Fake tax return email hides deadly computer virus. Retrieved April 5,
2015, from http://www.eveningtimes.co.uk/news/fake-tax-return-email-hides-deadly-
computer-virus-197376n.118297487
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[43] Green, I., Raz, T., & Zviran, M. (2007). Analysis of active intrusion prevention data for predicting
hostile activity in computer networks. Communications Of The ACM, 50(4), 63-68.
doi:10.1145/1232743.1232749
[44] Gupta, A., & Hammond, R., (2005). Information systems security issues and decisions for small
businesses: An empirical examination. Information Management & Computer Security, 13(4), 297-
310.
[45] Guynes, C. S., Wu, Y., & Windsor, J., (2011). E-Commerce/Network security considerations.
International Journal of Management and Information Systems, 15(2), 1-7.
[46] Hagen, J. M., Albrechtsen, E., & Hovden, J., (2008). Implementation and effectiveness of
organizational information security measures. Information Management & Computer Security, 16(4),
377-397. doi: 10.1108/09685220810908796
[47] Hamid J., Fernando, S., Nkhoma M. Z., & Mouratidis, H., (2007). Information systems security:
Cases of network administrator threats. International Journal of Information Security and Privacy,
1(3), 13-25.
[48] Heisler, Y. (2015, March 23). The story behind the first computer viruses ever. Retrieved April 5,
2015, from http://bgr.com/2015/03/23/computer-virus-names-history/
[49] Hitachi ID Systems, Inc. (n.d.). Retrieved April 2, 2015, from http://hitachi-id.com/password-
manager/docs/password-management-best-practices.html
[50] Hong, K. S., Chi, Y. P., Chao, L. R., Tang, J. H., (2003). An integrated system theory of information
security management. Information Management & Computer Security, 11(5), 243-248. doi:
10.1108/09685220310500153
[51] Huang, X. (2014). Construction research of computer network system security based on
distributed intrusion detection technology. Journal of Networks, 9(10), 2813+. Retrieved from
http://0-
o.galegroup.com.athens.iii.com/ps/i.do?id=GALE%7CA387060161&v=2.1&u=athe65862&it=r&p
=AONE&sw=w&asid=bab0c06a883efa0561b5688a14d93dbc
[52] Hussein, O., Hamza, N., & Hefny, H., (2014). Limitations of current security measures to address
information leakage attacks. International Journal of Computer Science and Information Security,
12(8), 26-32.
[53] Ifinedo, P., (2014). The effects of national culture on the assessment of information security
threats and controls in financial services industry. International Journal of Electronic Business
Management, 12(2), 75-89.
[54] IM-Worm. (n.d.). Retrieved April 4, 2015, from https://securelist.com/threats/im-worm/
[55] Inside the EquationDrug Espionage Platform. (2015, March 11). Retrieved April 2, 2015, from
http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/
Cybersecurity, Innovation and the Internet Economy. (n.d.). (2011, June). Retrieved April 4, 2015, from
http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf
[56] Ján, K., L'ubomír, D., & Ján, P. (2011). Intrusion Detection Methods in Wireless Network Systems.
Journal Of Electrical & Electronics Engineering, 4(1), 79-82.
[57] Kangarloo, K. (2015, April 3). MicroStrategy releases Usher Mobile, its first cyber security product
- Washington Business Journal. Retrieved April 5, 2015, from
http://www.bizjournals.com/washington/blog/techflash/2015/04/microstrategy-releases-
usher-its-first.html?page=all
[58] Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M., (2005). Information security
threats and practices in small businesses. Information Systems Management, 22(2), 7-19.
[59] King, R. (2014, April 8). Mining, Manufacturing at Highest Risk for Spear Phishing: Symantec.
Retrieved April 2, 2015, from http://blogs.wsj.com/cio/2014/04/08/mining-manufacturing-at-
highest-risk-for-spear-phishing-symantec/
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[60] Korolov, M. (2014, November 11). Amazon phishing attacks pick up for holiday shopping season.
Retrieved April 2, 2015, from http://www.csoonline.com/article/2846438/malware-
cybercrime/amazon-phishing-attacks-pick-up-for-holiday-shopping-season.html
[61] Krebs, B. (n.d.). Krebs on Security. Retrieved April 1, 2015, from
http://krebsonsecurity.com/password-dos-and-donts/
[62] Kreitz, G. (2013). Flow stealing: A well-timed redirection attack. Journal Of Computer Security,
21(3), 371-391. doi:10.3233/JCS-130466
[63] Kruck, Gregory P., & Kruck, S. E. (2006). Spoofing - A look at an evolving threat. The Journal of
Computer Information Systems, 47, 95-100.
[64] Kruse, R., Beer, M., Zadeh, L. A., Otte, C., & Störmann, C. (2011). Improving the accuracy of
network intrusion detectors by input-dependent stacking. Integrated Computer-Aided Engineering,
18(3), 291-297.
[65] Lee, J., Cho, J., Seo, J., Shon, T., & Won, D. (2013). A novel approach to analyzing for detecting
malicious network activity using a cloud computing testbed. Mobile Networks and Applications,
18(1), 122-128. doi:http://0-dx.doi.org.athens.iii.com/10.1007/s11036-012-0375
[66] Li, J., Li, N., Wang, X., & Yu, T. (2009). Denial of service attacks and defenses in decentralized
trust management. International Journal Of Information Security, 8(2), 89-101. doi:10.1007/s10207-
008-0068-8
[67] Lima, J. (2015, March 19). QUARANTINE ZONE: 10 of the worst computer virus outbreaks.
Retrieved April 5, 2015, from http://www.cbronline.com/news/cybersecurity/data/quarantine-
zone-10-of-the-worst-computer-virus-outbreaks-4536386
[68] Liu, C.H., Chung, Y. F., Chen, T. S. & Wang, S.D., (2012). The enhancement of security in
healthcare information systems. Journal of Medical Systems, 36, 1673-1688. doi: 10.1007/s10916-010-
9628-3
[69] Liu, S., & Cheng, B., (2009). Cyberattacks: Why, what, who, and how. IT Pro, 14-21.
[70] Luettmann, B. M., & Bender, A. C. (2007). Man-in-the-middle attacks on auto-updating software.
Bell Labs Technical Journal, 12(3), 131-138. doi:10.1002/bltj.20255
[71] Luo, X., & Guan, T. T., (2007). Defeating active phishing attacks for web-based transactions.
International Journal Of Information Security and Privacy, 1(3), 47-60.
[72] Lyne, J. (2013, October 22). Computer Virus Spreading That Means You Never Get To See Your
Files Again. Retrieved April 4, 2015, from
http://www.forbes.com/sites/jameslyne/2013/10/22/computer-virus-spreading-that-means-
you-never-get-to-see-your-files-again/
[73] Makanju, A., Zincir-Heywood, A. N., & Milios, E. E. (2011). Robust learning intrusion detection
for attacks on wireless networks. Intelligent Data Analysis, 15(5), 801-823.
[74] McLaughlin, R. (2015, March 27). AARP Maine officials warn of computer virus phone scam.
Retrieved April 3, 2015, from http://bangordailynews.com/2015/03/27/news/state/aarp-
maine-officials-warn-of-computer-virus-phone-scam/
[75] Medlin, B. D., Cazier, J.A., & Foulk, D.P. (2008). Analyzing the vulnerability of U.S. hospitals to
social engineering attacks: How many of your employees would share their password?.
International Journal of Information Security and Privacy, 2(3), 71-83.
[76] Meharouech, S., Bouhoula, A., & Abbes, T., (2011). Network security alerts management
architecture for signature-based intrusions detection systems within a NAT environment. Journal
of Network System Management, 19, 472-495. doi: 10.1007/s10922-010-9195-4
[77] Mehta, V., & Manhas, P. S., (2005). Leveraging information systems tools, security and on-line
usage in banking and insurance sector. Journal of Services Research, 5(2), 193-204.
[78] Mensch, Scott, & Wilkie, LeAnn. (2011). Information security activities of college students: An
exploratory study. Academy of Information and Management Sciences Journal, 14(2), 91-116.
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[79] Millennials and Gen X: Frequency of password changes 2014 | Statistic. (n.d.). Retrieved April 5,
2015, from http://www.statista.com/statistics/305455/millennials-generation-x-frequency-of-
password-changes/
[80] Min-shiang, H., Jung-wen, L., & Chia-hsin, L. (2004). Enhanced of Key Agreement Protocols
Resistant to a Denial-of-Service Attack. Fundamenta Informaticae, 61(3/4), 389-398.
[81] Mlitwa, N. B. W., & Birch, D., (2011). The role of intrusion detection systems in electronic
information security. Journal of Engineering, Design and Technology, 9(3), 296-312. doi:
10.1108/17260531111179915
[82] Mohammed, A., Sulaiman, M. N., & Muhammad N. M., (2013). Analysis of network security
policy – Based management. International Journal of Computer Science and Information Security,
11(3), 143-146.
[83] Mosendz, P. (2015, March 31). Cyber Security Advocate Unveils 26,000 ISIS-Linked Twitter
Accounts. Retrieved April 5, 2015, from http://www.newsweek.com/cyber-security-advocate-
unveils-26000-isis-linked-twitter-accounts-
318063?piano_t=1&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:
armycybernews (Army Cyber News)
[84] Nakashima, E. (2015, April 2). U.S. establishes sanctions program to combat cyberattacks,
cyberspying. Retrieved April 5, 2015, from http://www.washingtonpost.com/world/national-
security/us-to-establish-sanctions-program-to-combat-cyberattacks-
cyberspying/2015/03/31/7f563474-d7dc-11e4-ba28-
f2a685dc7f89_story.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:
armycybernews (Army Cyber News)
[85] Naughton, J. (2015, March 29). These days crime doesn’t pay… unless it’s done online. Retrieved
April 4, 2015, from http://www.theguardian.com/commentisfree/2015/mar/29/cybercrime-
online-government-cuts-crime-statistics
[86] Nor, F. B. M., Jalil, K. A., & Manan, J.-L. A. (2012). Mitigating man-in-the-browser attacks with
hardware-based authentication scheme. International Journal of Cyber-Security and Digital Forensics,
1(3), 204+. Retrieved from http://0-
go.galegroup.com.athens.iii.com/ps/i.do?id=GALE%7CA354578168&v=2.1&u=athe65865&it=r&
p=AONE&sw=w&asid=fefef55c6d26d150c141310483f6ac66
[87] Online Trust Alliance. (2015, January 21). Retrieved April 5, 2015, from
https://otalliance.org/resources/security-privacy-best-practices
[88] Orman, H., & Pfleeger, C. (2015, February 1). Mathematics and Physics Build a New Future for
Secure Communication [Guest editors' introduction]. Retrieved April 3, 2015, from
http://www.computer.org/csdl/mags/sp/2015/01/msp2015010012-abs.html
[89] P2P-Worm. (n.d.). Retrieved April 4, 2015, from https://securelist.com/threats/p2p-worm/
[90] Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing
attacks? Retrieved April 2, 2015, from
http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-
aurora-and-ongoing-attacks.html
[91] Papanikolaou, A., Vlachos, V., Venieris, A., Ilioudis, C., Papapanagiotou, K., & Stasinopoulos, A.,
(2013). A framework for teaching network security in academic environments. Information
Management & Computer Security, 21(4), 315-338. doi: 10.1108/IMCS-11-2011-0056
[92] PasswordResearch.com Statistic - Actual password reuse between two breached web sites with
plaintext passwords. (2012, July 12). Retrieved April 5, 2015, from
http://passwordresearch.com/stats/statistic312.html
[93] PasswordResearch.com Statistic - How many passwords do online adults maintain? (2012,
August 1). Retrieved April 5, 2015, from http://passwordresearch.com/stats/statistic361.html
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[94] Patel, A., Qassim, Q., & Wills, C. (2010). A survey of intrusion detection and prevention systems.
Information Management & Computer Security, 18(4), 277-290. doi:http://0-
dx.doi.org.athens.iii.com/10.1108/09685221011079199
[95] Paulson, L. D., (2002, July/August). Post 9-11 security: Few changes, business as usual rules. IT
Pro, 10-13.
[96] Pfleeger, S. L., (2010, July/August). Anatomy of an intrusion. IT Pro, 20-28.
[97] Phatak, D., Sherman, A. T., Joshi, N., Sonawane, B., Relan, V. G., & Dawalbhakta, A. (2013).
Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS
defense. Journal Of Computer Security, 21(2), 233-281.
[98] Pillai, A. (2011, March 15). Trojan horses are still a big threat. Retrieved April 5, 2015, from
http://articles.economictimes.indiatimes.com/2011-03-15/news/28691677_1_trojan-horse-cyber-
criminals-email-attachment
[99] Puzis, R., Yagil, D., Elovici, Y., & Braha, D. (2009). Collaborative attack on internet users'
anonymity. Internet Research, 19(1), 60-77. doi:http://0-
dx.doi.org.athens.iii.com/10.1108/10662240910927821
[100] Raiwani, Y.P., (2012). Network management, security & privacy issues in e-commerce. Journal of
Information and Operations Management, 3(1), 217-221.
[101] Rankin, K. (2012, July 9). Hack and / - Password Cracking with GPUs, Part III: Tune Your Attack.
Retrieved April 5, 2015, from http://www.linuxjournal.com/content/hack-and-password-
cracking-gpus-part-iii-tune-your-attack
[102] Rankin, K. (2012, March 15). Hack and / - Password Cracking with GPUs, Part I: The Setup.
Retrieved April 1, 2015, from http://www.linuxjournal.com/content/hack-and-password-
cracking-gpus-part-i-setup
[103] Rankin, K. (2012, March 29). Hack and / - Password Cracking with GPUs, Part II: Get Cracking.
Retrieved April 1, 2015, from http://www.linuxjournal.com/content/hack-and-password-
cracking-gpus-part-ii-get-cracking
[104] Ransbotham, R., & Mitra, S., (2009). Choice and chance: A conceptual model of paths to
information security compromise. Information Systems Research, 20(1), 121–139. doi:
10.1287/isre.1080.0174
[105] Rieker, M. (2014, May 16). Wall Street Journal - Experts: Advisers Lax on Cybersecurity - eSentire.
Retrieved April 2, 2015, from https://www.esentire.com/wall-street-journal-experts-advisers-
lax-cybersecurity/
[106] Roeder, T. (2015, April 2). AFA Cadets Working on System to Stop Computer Viruses. Retrieved
April 5, 2015, from http://www.military.com/daily-news/2015/04/02/afa-cadets-working-on-
system-to-stop-computer-viruses.html
[107] Russell, J. (2011, October 25). Japanese government hit by Chinese Trojan horse attack. Retrieved
April 4, 2015, from http://thenextweb.com/asia/2011/10/25/japanese-government-hit-by-
chinese-trojan-horse-attack/
[108] Saeed, W., Khan, A. I., & Hussain, F., Impact of users on network security in Universities of
Pakistan. International Journal of Organizational Innovation, 113-126.
[109] Scherzer, L. (2013, January 15). Your Password Isn't Safe: 90% Are Vulnerable to Hacking, Says
Report. Retrieved April 5, 2015, from http://finance.yahoo.com/blogs/the-
exchange/password-isn-t-safe-90-vulnerable-hacking-213820350.html
[110] Schreiber, J. (2015, March 31). Police investigating virus that attacked Auburn town, school
computers | New Hampshire Hooksett Banner. Retrieved April 3, 2015, from
http://www.newhampshire.com/apps/pbcs.dll/article?AID=/20150331/NEWHAMPSHIRE14
10/150409985
[111] Schupak, A. (2015, March 27). Phishing emails to watch out for. Retrieved April 4, 2015, from
http://www.cbsnews.com/news/phishing-emails-to-watch-out-for/
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[112] Schwartz, M. (2015, April 4). Cyber-Attacks Target Energy Firms. Retrieved April 5, 2015, from
http://www.govinfosecurity.com/cyber-attacks-target-energy-firms-a-8068
[113] Security Response Publications. (2014, December 1). Retrieved April 5, 2015, from
http://www.symantec.com/security_response/publications/threatreport.jsp
[114] Sharma, V. (2004). Intrusion Detection in Infrastructure Wireless LANs. Bell Labs Technical Journal,
8(4), 115-119. doi:10.1002/bltj.10090
[115] Shaw, C. (2015, February 11). Net Neutrality Is a Trojan Horse Virus Infecting the Internet.
Retrieved April 3, 2015, from http://www.thenewamerican.com/tech/computers/item/20102-
net-neutrality-is-a-trojan-horse-virus-infecting-the-internet
[116] Shaw, R. (2013, July 18). Password Cracking Evolution - InfoSec Institute. Retrieved April 3, 2015,
from http://resources.infosecinstitute.com/password-cracking-evolution/
[117] Smith, R., (2009). Information security – A critical business function. Information Security-A
Critical Business Function. Journal of GXP Compliance, 13(4), 62-68.
[118] Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2004). A new two-tiered strategy to intrusion
detection. Information Management & Computer Security, 12(1), 27-44. Retrieved from
http://search.proquest.com.athens.iii.com/docview/212336843?accountid=8411
[119] Sparks, S., Embleton, S., and Zou, C. (2009). A chipset level network backdoor: bypassing host-
based firewall & IDS. In Proceedings of the 4th International Symposium on Information, Computer,
and Communications Security. 125-134. ACM, New York, NY. doi:10.1145/1533057.1533076
[120] Suffolk County, NY: Computer virus successfully contained. (2015, February 25). Retrieved April
3, 2015, from http://www.washingtontimes.com/news/2015/feb/25/suffolk-county-ny-
computer-virus-successfully-cont/
[121] Sujit, J. (2010, January 19). Fortify your online defences, now. Retrieved April 5, 2015, from
http://articles.economictimes.indiatimes.com/2010-01-19/news/27590218_1_security-software-
symantec-trojan-horse
[122] Tarakanov, D. (2011, October 17). SpyEye vs. Tracker. Retrieved April 5, 2015, from
http://securelist.com/blog/research/31388/spyeye-vs-tracker-11/
[123] Taylor, M. (2015, February 10). Hospitals Battle Data Breaches With a Cybersecurity SOS.
Retrieved April 5, 2015, from http://www.hhnmag.com/display/HHN-news-
article.dhtml?dcrPath=/templatedata/HF_Common/NewsArticle/data/HHN/Magazine/2015
/Feb/fea-hospital-cybersecurity
[124] Tech feature: 10 notable computer virus attacks. (2015, March 6). Retrieved April 2, 2015, from
http://www.mid-day.com/articles/tech-feature-10-notable-computer-virus-attacks/16040183
[125] Timcenko, V. V. (2014). An approach for DDoS attack prevention in mobile ad hoc networks.
Elektronika ir Elektrotechnika, 20(6), 150+. Retrieved from http://0-
go.galegroup.com.athens.iii.com/ps/i.do?id=GALE%7CA383459199&v=2.1&u=athe65862&it=r
&p=AONE&sw=w&asid=ed963ea7bd5de9753f7dc029242f91cf
[126] Understanding cybercrime: Phenomena, challenges and legal response. (2012, September 1).
Retrieved April 4, 2015, from http://www.itu.int/ITU-D/cyb/cybersecurity/docs/Cybercrime
legislation EV6.pdf
[127] Vieira, K., Schulter, A., Westphall, C., & Westphall, C. (2010). Intrusion detection for grid and
cloud computing. IT Professional Magazine, 12(4), 38-43. doi:http://0-
dx.doi.org.athens.iii.com/10.1109/MITP.2009.89
[128] Viruses and worms. (n.d.). Retrieved April 1, 2015, from https://securelist.com/threats/viruses-
and-worms/
[129] Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., & Shenker, S. (2010). DDoS defense by
offense. ACM Trans. Comput. Syst. (28) 1. doi:10.1145/1731060.1731063
[130] Wang, X., & Reiter, M. (2008). A multi-layer framework for puzzle-based denial-of-service
defense. International Journal Of Information Security, 7(4), 243-263. doi:10.1007/s10207-007-0042-x
Business Management Dynamics
Vol.5, No.11, May 2016, pp.16-39
©Society for Business and Management Dynamics
[131] Warkentin, M., & Willison, R., (2009). Behavioral and policy issues in information systems
security: the insider threat. European Journal of Information Systems, 18, 101–105.
doi:10.1057/ejis.2009.12
[132] Waugh, R. (2012, January 6). New PC virus doesn't just steal your money - it creates fake online
bank statements so you even don't know it's gone. Retrieved April 3, 2015, from
http://www.dailymail.co.uk/sciencetech/article-2083271/SpyEye-trojan-horse-New-PC-virus-
steals-money-creates-fake-online-bank-statements.html
[133] Webber, K. (2015, February 18). FBI: 'Ransomware' virus infecting computers, seizing data.
Retrieved April 3, 2015, from http://www.ksat.com/content/pns/ksat/news/2015/02/18/fbi--
-ransomware--virus-infecting-computers--seizing-data.html
[134] Wu, Z., Cai, M., Liang, S., & Zhang, J. (2014). An approach for prevention of MitM attack based
on rogue AP in wireless network. Sensors & Transducers, 183(12), 162-171. Retrieved from
http://search.proquest.com.athens.iii.com/docview/1645168008?accountid=8411
[135] Xia, J., Chen, L., Li, Y., & Tong, E. (2014). A physical layer key negotiation mechanism to secure
wireless networks. Journal of Networks, 9(9), 2299+. Retrieved from http://0-
go.galegroup.com.athens.iii.com/ps/i.do?id=GALE%7CA383459822&v=2.1&u=athe65862&it=r
&p=AONE&sw=w&asid=0128b5250f0d4fa5f2343fd00dd4dbef
[136] Yang, Y., Luo, L., & Yin, G. (2013). A New Secure Quantum Key Expansion Scheme. International
Journal Of Theoretical Physics, 52(6), 2008-2016. doi:10.1007/s10773-012-1424-z
[137] Yasinsac, A. (2002). An environment for security protocol intrusion detection. Journal Of Computer
Security, 10(1/2), 177.
[138] Yu, J., Fang, C., Lu, L., & Li, Z. (2010). Mitigating application layer distributed denial of service
attacks via effective trust management. IET Communications, 4(16), 1952-1962. doi:10.1049/iet-
com.2009.0809
[139] Zhang, S., Wang, J., & Tang, C. (2012). Improved Fake-State Attack to the Quantum Key
Distribution Systems. International Journal Of Theoretical Physics, 51(9), 2719-2726.
doi:10.1007/s10773-012-1155-1
[140] Zuleita, H., & Jorswieck, E. (2014). Signal leakage neutralisation in instantaneous non-
regenerative relaying networks under channel uncertainty. IET Communications, 8(8), 1285-1295.
doi:10.1049/iet-com.2013.0617
