Cybersecurity Education: A Collaborative Effort Between Academia, Private Industry, and Government for Incident Planning, Response & Management

Kevin R. Powers, J.D, Founder and Director, M.S. in Cybersecurity Policy & Governance Programs, Boston College, Assistant Professor of the Practice, Boston College Law School and Dr. Caroline McGroary, FCA, Fulbright Scholar, Boston College, Assistant Professor of Accounting, Dublin City University

Kevin R. Powers, J.D, Founder and Director, M.S. in Cybersecurity Policy & Governance Programs, Boston College, Assistant Professor of the Practice, Boston College Law School and Dr. Caroline McGroary, FCA, Fulbright Scholar, Boston College, Assistant Professor of Accounting, Dublin City University

In the last two years, major efforts have been made to improve the state of national cybersecurity in the U.S. These efforts include the issuance of an Executive Order on Cybersecurity by President Biden and, earlier this year, the passing of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law. Other efforts include the proposed reporting requirements from the Securities and Exchange Commission (SEC), the updates to the Federal Trade Commission’s (FTC) Safeguard Rules, and the proposed amendments to the New York Department of Financial Services cybersecurity regulations, all relating to the enhancement and standardization of disclosures regarding incident reporting, cybersecurity risk management, strategy, governance, and cybersecurity oversight and expertise at the Board level. These efforts, amongst others, are aimed at making critical IT infrastructure safer and enhancing cybersecurity reporting and disclosures across Federal government systems and public companies, as well as having important implications for the private sector and academia. 

Within this guidance, the incident response process has received significant attention, with calls being made for more robust processes around preparing for, responding to, and recovering from, cyberattacks. Incident response, while a topic that has gained significant attention across the industry and is a prominent feature in educational and training programs, remains an area which is constantly evolving and, therefore, requires regular evaluation. 

Despite the acceptance that adequate incident response planning and training is critical for organizations, research indicates that, on average, 70%+ of organizations do not have an incident response plan that is applied consistently (IBM, 2022). To put this in context, the number of intrusion attempts in 2021 increased by 11% ($5.3 trillion), with ransomware attacks increasing by 105% ($623.3 million) (CyberSaint Security, 2022). Furthermore, a recent report by the SysAdmin, Audit, Network and Security (SANS) Institute outlined that approximately 60% of ethical hackers need less than five hours to break into a corporate environment if they discover a weakness. Therefore, in the absence of a robust incident response plan and adequate training on how to operationalize this plan, organizations are greatly at risk. It is for this reason that quality education and training in the area of incident response is critical, with academia playing an important role in this space. 

Before exploring the various stages in the incident response process, it is useful to define the meaning of the term. Cybersecurity incident response is commonly referred to as an organizational process that enables a timely and effective response to cyberattacks. The incident response process includes identifying an attack, understanding its severity and prioritizing it, investigating and mitigating the attack, restoring operations, and taking action to minimize the likelihood of reoccurrence (NIST, 2021).

While there are various incident response frameworks that guide the implementation of an incident response plan, and often incident response frameworks need to be tailored to the needs of individual organizations, the National Institute of Standards and Technology (NIST) Incident Response Framework provides a useful starting point. This framework includes four main stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a cybersecurity incident, 3) containment, eradication, and recovery, and 4) post-incident analysis. These four stages are part of an ongoing process which helps organizations design a response plan that can be implemented in the event of a cyberattack.

The first stage deals with adequately preparing for an attack. This stage, while often difficult to implement, as the organization has not already encountered the threat, is critical. It not only requires the development of an incident response plan but also requires a major investment in education and training to ensure that all those involved in the incident response team know how the plan is to be executed, both from an operational and legal perspective, in the event of an attack. This is often cited as an area where organizations need continuous support and where appropriate resources, financial and otherwise, must be allocated. This is often a challenge for smaller organizations that have more limited budgets than larger organizations. However, given that the U.S. National Cybersecurity Alliance outlines that the cost of recovering after an attack for a small to mid-sized business can range from $690,000 to over $1 million, adequate investment in incident response planning is a worthwhile investment. NIST further outlines that if an incident response team is unavailable in-house, this function should be outsourced to ensure organizations are adequately protected.

The second stage is centered around the detection and analysis of an attack. More often than not, an attack is only visible after it has already begun. At this stage, it is critical that organizations know how to implement the incident response plan, including reporting the incident to the relevant authorities.

The third stage includes containment, eradication, and recovery. NIST proposes that organizations have a containment strategy for each type of attack. This stage also includes evidence gathering, which can be used for legal matters. When the threat is contained, the next step is the eradication of the threat. When complete, it is then necessary to recover from the attack. This may require software and operating updates to address vulnerabilities. It may also be necessary to restore data from backups. There has been much concern in recent reports about the adequacy of recovery and data backups required to recover from cyberattacks. For example, statistics indicate that 65% of U.S. companies lack full confidence in their legacy backup solutions (HYCU, 2022), highlighting the importance of adequate investment in this area.

The fourth stage, which often gets the least attention, is the post-incident analysis. This involves determining the lessons learned, including revising the incident response strategies and taking corrective action where necessary. This stage also involves the creation of reports for use both internally and externally and the sharing of information. This stage is now being supported by the additional guidance outlined above, requiring more stringent reporting and sharing of information regarding cyberattacks.

These four interconnected stages are part of an ongoing process which requires continuous learning and enhancement to determine how best to protect an organization. Furthermore, as cyberattacks rise in scale and sophistication, coupled with increasing regulations and public expectations of transparency and operational resilience, incident response education and training is increasingly important at all levels across organizations, especially for the Board and senior management. Cybersecurity is a complex and dynamic environment, and the full Board should, at the very least, receive semi-annual digital and cybersecurity risk oversight training to enable them to better perform their duties and fulfill their fiduciary oversight responsibilities.  Indeed, such training should include a “table-top” exercise involving a cyber-attack simulation focusing on ransomware so that the Board can better gauge the maturity of the organization’s cybersecurity program concerning its ability to plan for, respond to, mitigate, and recover from a cyber-attack to protect its business operations, network systems, and sensitive customer data, as well as effectively navigate the regulatory landscape. 

Of important note, senior business executives, C-Suites, and Boards do not need technical backgrounds to understand cybersecurity.  Rather, cybersecurity is a “business” issue based on risk, which is something business leaders have been focusing on for years as a business concern; it’s what they do. For example, in developing future cybersecurity professionals at Boston College, our Master of Science in Cybersecurity Policy & Governance Program prepares students to bridge the communication gap between IT security professionals and key business stakeholders, and to lead, design, and frame a business case for investment to senior executives, Boards of Directors, and government officials. All of our courses are taught by industry and government experts, leaders, and practitioners. Moreover, we require all of our graduate students to take the course “Cybersecurity Incident Planning, Response, and Management,” where students learn, hands-on, not only how to draft an incident response plan and manage it but also how to effectively and efficiently run and oversee “table-top” exercises, based on industry and government best practices, as set forth above. Instead of focusing on the technical aspects, business leaders should look to cybersecurity as part of their enterprise risk management program and then focus on governance - the policies and procedures to manage that cyber risk.

Through this collaborative effort between academia, private industry, and government at Boston College, we are developing the blueprint for effective cybersecurity incident response by looking at cybersecurity as part of an organization’s enterprise risk management program and then focusing on governance - the policies and procedures to manage that cyber risk.  We are doing so because effective cybersecurity starts at the top – the Board and C-Suite.

Weekly Brief

Read Also

Making the Case for Moving from Health IT to Health Analytics

Making the Case for Moving from Health IT to Health Analytics

Aaron Baird, Associate Professor, and Yusen Xia, Director of the Data Science in Business
Virtual Immersive Learning: The Next Frontier in Higher Education

Virtual Immersive Learning: The Next Frontier in Higher Education

Dr. Frederic Lemieux, Georgetown University
Preparing Your Education System for the Digital Age

Preparing Your Education System for the Digital Age

Mark Yang, Director of Education & Healthcare Dept, Huawei
Building a Pipeline of Women in Engineering and Computer Science

Building a Pipeline of Women in Engineering and Computer Science

Bia Hamed, Eastern Michigan University’s director of K-12 STEM outreach and Digital Divas program director
Experience as the Great Equalizer: The Future of STEM Education

Experience as the Great Equalizer: The Future of STEM Education

Justin Luttrell, Ed.D, Director of STEM and Blended Learning, Pulaski County Special School District
Making Correct Leadership Decisions About Online Education

Making Correct Leadership Decisions About Online Education

Dr. Anthony A. Piña, Chief Online Learning Officer, Illinois State University