Business Brief for Management Unit

Limiting the vulnerability of
Sunshine Medical Supplies
to computer security incidents

Assessment Item 1 •  Management

1.0      Introduction

This brief will provide two (2) recommendations for limiting the vulnerability of Sunshine Medical Supplies (Sunshine)  Information Technology (IT) infrastructure to internal and external cybercrime and “Distributed Denial of Service” (DDoS) attacks, as described in The Sydney Morning Herald news article “Rise in cyber attacks on Australian businesses” (Moses, 2013) (Appendix A). IT infrastructure is a core component of Sunshine’s customer relationship management (CRM) system, enabling Sunshine to provide superior customer service through the collection and management of customer data (Samson & Daft, 2012, p. 60), and providing financial services to all sites. Strategies for limiting vulnerability outlined in this brief are investment in IT security policies and awareness training for all employees, and development of a Technological Crisis Management (TCM) Plan (Davis, 2005).

2.0      Analysis of Topic

2.1    Advantages

Improved IT security policies and staff awareness will reduce Sunshine’s vulnerability computer security incidents (CSIs), which comprise “any unauthorised use, damage, monitoring attack or theft of business information technology”, including viruses and other malicious code (malware), spyware, phishing, sabotage of network or data, online fraud, and DDoS  attacks (Hutchings, 2012, p. 2, Richards & Davis, 2010, p. 1). Incidents of extortion using “ransomware” are on the rise in Australia (CERT Australia, 2012, p. 22).

Motivation for attacks include targeted and indiscriminate attacks, financial gain, hactivism, personal grievance, and extortion (CERT Australia, 2012, pp. 19-28). Research indicates monitoring employee engagement and addressing grievances can limit vulnerability to internal attacks (Strohmeier, 2013), which account for 44% of reported CSIs (CERT Australia, 2012, p. 4). Sunshine can limit vulnerability through improved policies targeting common employee IT activities and providing training to identify and respond to external breaches.

Sunshine risks significant financial and market losses in the event of a successful CSI. A 2009 report indicated Small and Medium Enterprises may lack the capacity to detect and prevent CSIs, increasing their vulnerability to attack (Richards, 2009, p. iv). Implementation of a TCM plan will enforce security as a core business value, and provide employees with ongoing awareness of current CSI trends and the appropriate response (Davis, 2005). Encouraging individuals to actively contribute to organisational goals aligns with Sunshine’s ‘Theory Y’ management policies (Samson & Daft, 2012, pp. 55-56).

2.2       Disadvantages

Significant investment is required to develop a TCM Plan and provide training across all Sunshine sites, with no certainty of experiencing attacks (Davis, 2005, p. 124). If vulnerabilities are eliminated, the IT system will not experience CSIs, limiting Sunshine’s ability to assess return on investment and justify expenses. Ongoing assessment and maintenance of a TCM Plan requires participation from all employees, risking alienating employees who consider it intrusive (Davis, 2005, p. 128).

3.0      Recommendations

The development of a TCM plan will limit losses in the event of an attack, enabling Sunshine to respond effectively and minimise impact on operations. Short term impacts include significant financial and other losses, exposure to law suits when security breaches involve customer data, and increases in operational costs (Choo, 2011, p. 720), justifying this investment.

It is recommended Sunshine invest in the development IT security and awareness training for all employees and a TCM plan to enable Sunshine to limit financial loss and defend market position in the event of a targeted or random CSI. 

Reference List

CERT Australia. (2012). Cyber Crime & Security Survey Report 2012. Retrieved from http://www.canberra.edu.au/cis/storage/Cyber%20Crime%20and%20Security%20Survey%20Report%202012.pdf

Choo, K.-K. R. (2011). The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVZ2xDcMwDARVZIWkzgICZIq2pDqI4QGcAUiKv_8IkYAUzgasiPsHcQzhydnWZDRJVKtXEQP1rKpQkLj8lW2Xbb7fw2d_n68j_v4ARKO0UqSlO0QbIQtvg2_U5z2cNsOYoFdLpTSZYjNmoExFHqMOlJC8OXtbHuE2srR_AX6ZJrM. doi:10.1016/j.cose.2011.08.004

Davis, B. J. (2005). PREPARE: seeking systemic solutions for technological crisis management. Knowledge and Process Management, 12(2), 123-131. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVV3JDcMwDPMjK7TvLGCgkRTXfhcNOkAzgA5r_xEiB3m0E_BDSKRAUCnNhLo-FIYSldorszoYioiLA3f-O7b9TPPtlvbt_X198vUHIOsoKMtQjJqxBn0UoC1kSMJOhZ-xPWs_I5IoayA2K8xnKZwbhtQYyGW5pym8dD8AS64l2A. doi:10.1002/kpm.220

Moses, A. (2013, 18 February). Rise in cyber attacks on Australian businesses, The Sydney Morning Herald. Retrieved from http://www.smh.com.au/it-pro/security-it/rise-in-cyber-attacks-on-australian-businesses-20130218-2em94.html#ixzz2LCv9SUo1

Richards, K. (2009). The Australian business assessment of computer user security: a national survey. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwY2BQMEwFHwOVmJxiZp5oYp4CbPOnJJsbJxmmGpknWaQZoAy2IZXmbqIMMm6uIc4euoWlJfHQ4Yv4JCNzUA8OWBeJMbAAu8SpAEuQFyM

Samson, D., & Daft, R. L. (2012). Fundamentals of management. South Melbourne, Vic: Cengage Learning.

Strohmeier, S. (2013). Employee relationship management — Realizing competitive advantage through information technology? Human Resource Management Review, 23(1), 93-104. Retrieved from http://qut.summon.serialssolutions.com/link/0/eLvHCXMwVV25DcMwDFSRFeI6CwiwTFKi6yCGB_AC4rf_CGGAFEnNgg1xD6-4Uh6rIdpGZpt0HaNNAFd0nJRiVkD-nm0_aH7cy3W8rudZvz0AVZlbpXBimclkEUkwqYExHD7x0dDeHJB72ERhE9kxj1QkcugrKIHm0qXc0kr7G9KIJXI. doi:10.1016/j.hrmr.2012.06.009

 

Appendix A

Cyber attacks against Australian businesses are on the rise (Moses, 2013)

Date February 18, 2013 – 11:13AM

Cyber attacks against Australian organisations are on the rise with over one fifth of 255 major firms surveyed for a new government report owning up to being targeted in the past year.

Of those targeted a further 20 per cent said they had experienced more than 10 “cyber security incidents”. One organisation reported the theft of 15 years’ worth of critical business data.

The 2012 Cyber Crime and Security Survey Report, commissioned by national computer emergency response team CERT Australia and conducted by the University of Canberra was released on Monday.

The report said those who reported no cyber incidents were likely to not have detected them.

More than half of the affected organisations surveyed believed the attacks on their firm to be targeted (rather than indiscriminate), with the majority coming from external sources but 44 per cent originating from within the organisation.

Attacks involved the use of malicious software such as “ransomware” and “scareware”, and trojans to steal confidential information, and denial-of-service campaigns.

This is despite 90 per cent of respondents reporting the use of antivirus software, spam filters and firewalls, and 65 per cent having IT security staff with tertiary level IT qualifications.

In late September last year CERT Australia received calls from more than 25 organisations being targeted by ransomware, which involved attackers scaring victims into handing over money or risk losing their data.

Another example included in the report was in early last year when CERT Australia received reports from a range of financial firms who had their websites targeted with DDoS attacks, knocking them offline, and demanding they made a payment.

“Cyber attacks have shifted from being indiscriminate and random to being more coordinated and targeted for financial gain,” said Attorney-General Mark Dreyfus.

“Most attacks occur from outside the business, although it appears internal risks are also significant.”

At a time when it only takes one naive employee clicking on a malicious email attachment to breach a corporate network, the report found “many organisations are not confident that cyber security is sufficiently understood and appreciated by staff, management and boards”.

One fifth of the targeted organisations said they did not report the cyber incidents to a law enforcement agency because they feared negative publicity.

The most common way hackers broke into organisations was by using powerful automated attack tools or exploiting software holes or misconfigured systems. A third of attacks involved the theft of notebooks, tablets or mobiles.

In January Prime Minister Julia Gillard announced that CERT Australia would soon be part of a new Australian Cyber Security Centre, which aims to develop a comprehensive understanding of cyber threats facing the nation.

However, in Senate estimates last week it was revealed there would be no new funding for the centre with 95 per cent of staff coming from Defence and no independent leadership.

Hot Fuzz: A Post Adultescent Buddy/Bromantic Comedy

In this presentation I will look at the narrative role of The Villain, as described by Vladimir Propp in Morphology of the Folktale, and use a one minute sequence from the Edgar Wright film Hot Fuzz (Wright, 2007) to demonstrate the 28th function from Propp’s Morphology (Propp, 1968): “The (false hero or) Villain is exposed”.
In Morphology of the Folktale, Propp (1968) describes 31 ‘Functions’, or actions, that outline a the sequence of events in a folktale narrative (Waugh, 1966, Fell, 1977). In his studies of more than 100 Russian ‘Wonder tales’, or folktales, Propp found that while not all 31 functions were always present in all folktales (Propp, 1968), the folktales would not contain additional ‘functions’, and the order of the events was fixed (Fell, 1977, Propp, 1968). Although Propp’s study was restricted to Russian folktales, and conducted in 1928, the structure he described is restricted to neither Russian narratives nor folktales, and can be applied to describing the narrative of a hero’s quest or journey across many genres and cultures (Fell, 1977, Gillespie and Toynbee, 2006).
Question: What are the 7 roles identified by Propp?
Seven roles identified by Propp in Morphology of Folktale (Gillespie and Toynbee, 2006).
1. The Villain
2. The Hero
3. The Donor
4. The Helper
5. The Princess
6. The Dispatcher
7. The False Hero
The Villain, coming in at number 1 on Propp’s chart (Gillespie and Toynbee, 2006, Fell, 1977), initiates the movement of the tale or narrative (Propp, 1968), but can be known or unknown to the hero or chief protagonist. At the “pivotal” (Murphy, 2008) Function 8: The villain causes harm or injury to a member of a family (Propp, 1968, Murphy, 2008). At this time, narrative events are set in motion. Bulgarian narratologist Todorov described the process of a narrative as a sequence of events from a state of equilibrium, through a series of disruptions or dis-equilibrium, until the resolution, or revised equilibrium is achieved (Gillespie and Toynbee, 2006).
Question: Can you think of any movies where the identity of the villain is obscured from the hero?
In The Lion King, King Mustafa’s brother Scar commits regicide in order to propel the narrative of the hero, Simba, who believes himself to be to blame for the death of his father (Allers and Minkoff, 1994) (Or question to the class: who can tell me how the events of The Lion King are set in motion?). In M. Night Shyamalan’s Unbreakable, (2000), hero David Dunn is propelled through a series of events by Elijah Price, only to ultimately discover Price is the villain. Other examples of villains that hide in plain sight include Verbal Kint in The Usual Suspects (Singer, 1995), and Senator – later Emperor – Palpatine in the Star Wars prequel trilogy (Lucas, 1999/2002/2005). In the reimagined Battlestar Galactica (NBC Television, 2004-2009) the audience knows throughout much of the series and Gaius Baltar is responsible for the network disruption that allowed the cylons to wipe out the humans, but this knowledge is unknown most of the rest of the characters until late in the narrative.
Question: Can you name any other film or TV villains that reveal their villainy towards the climax of a narrative? Where the hero or heroes might be working with the villain without knowing?
At Function 28 of Propp’s Morphology (1968), “The (False Hero or) Villain is Exposed.” In the video clip I am about to show, the identity of the true villain of Hot Fuzz is revealed to The Hero, Sergeant Nicholas Angel. Having listened to a recount of all the dastardly deeds in the narrative, as Propp (1968) described in the process of this Function, the true villain steps forward to provide the audience and the Hero with the reasoning behind his actions.
Play Clip
From this point, Hot Fuzz proceeds through Propp’s 3 remaining Functions: #29 “The Hero is Given a New Appearance”, when Sergeant Angel is confronted by his magical items – DVD copies of Point Break (Bigelow, 1991) and Bad Boys II (Bay, 2003) – and purchases a pair of aviator sunglasses; #30 “The Villain is Punished”, when the entire Village preservation society falls relatively bloodlessly in a pitched gun battle with Sergeant Angel and Helper/Donor PC Butterman; #31 “The Hero is Married and Ascends to the Throne” (Propp, 1968), when, having vanquished the villain, Sergeant Angel declines an offer to return to his original life in favour of remaining in the village.  
A Post-Adultescent Bromantic Comedy: Placing Hot Fuzz in Popular Culture
Hot Fuzz is a continuation of the Edgar Wright and Simon Pegg collaboration of “Adultescent” (Furedi, 2003) narratives that began with the TV series Spaced and continued in Shaun of the Dead (Wright, 2004). In these narratives, Wright and Pegg demonstrate the western subculture of “retro nostalgia” (Furedi, 2003), recreating childhoods heavily influenced by the infiltration of entertainment equipment, in the form of videos cassette players and video gaming consoles, into homes throughout the western world. The constant stream of homages and tropes found in Hot Fuzz, as well as their other collaborations, demonstrates the collection of a significant amount of popular culture capital.
Romantic comedies have long been a staple of Hollywood. Whether it’s Katherine Hepburn and Spencer Tracey, or Doris Day and Rock Hudson, or Tom Hanks and Meg Ryan, the resilience of the genre is perhaps rooted in the “powerful need in human beings to believe in the utopian possibilities in the image of the couple” (Deleyto, 2003) .
While the romantic object of The Hero in Hot Fuzz is not sexual love, PC Danny Butterman fulfils the Proppian role of The Princess (Gillespie and Toynbee, 2006), by forming a significant emotional relationship with The Hero, with the result being their continued partnership at the end of the film. The action-cop buddy formula (Brown, 1993) of Hot Fuzz reflects the proliferation of this genre on television and in feature films throughout the 1980s and 1990s, including Point Break (Bigelow, 1991) and Bad Boys II (Bay, 2003), as cited in the film, as well as director Richard Donner’s Lethal Weapon (Donner, 1987) franchise.
Question: Can you name any romantic comedies?
Romantic comedies have been reimagined a number of times since the introduction of the ‘talkies’ in the 1930s (Jeffers McDonald, 2009). The current and pervasive idea of the ‘rom-com’, established in the late 1980s and 1990s, is centred around the female experience and expectations of romance (Jeffers McDonald, 2009), and are viewed as almost “exclusively films for women” (Alberti, 2013) .
With the turn of a new century, a “new climate of social and sexual equality” has created the space for popular culture, feature films and television in particular, to explore “other types of relationships not defined by the conventional codes of the heteronormative romantic comedy” (Alberti, 2013).
Perhaps in an effort to redress this perceived imbalance, the sub-genre of what has been called the “Homme-com” has emerged to address changing representations of masculinity (Jeffers McDonald, 2009, Alberti, 2013) . In the Homme-com, audiences see the romance from the man’s point of view, often with assistance and advice of another man. The drawback of these films, for female audiences, is the scatological nature of much of the humour (Jeffers McDonald, 2009).
Question: Can you name any romantic comedies told from a male point of view? eg Farelly Brothers/gross-out comedies.
Hot Fuzz differs from these Homme-coms in that it avoids relying on toilet humour, instead concentrating on well-worn tropes. As such, I have chosen to refer to it as a Bromantic Comedy, in reference to the plutonic relationship is between of Sergeant Angel and PC Butterman, which is central to the narrative and not an external influence, as it is in Homme-coms.
How about Buddy movies? Butch Cassidy and the Sundance Kid, Shawshank Redemption, Some Like it Hot, 48 Hours
 
References
ALBERTI, J. 2013. “I Love You, Man”: Bromances, the Construction of Masculinity, and the Continuing Evolution of the Romantic Comedy. Quarterly Review of Film and Video, 30, 159.
The Lion King, 1994. Directed by ALLERS, R. & MINKOFF, R.: Walt Disney Pictures.
Bad Boys II, 2003. Directed by BAY, M.: Columbia Pictures Corporation.
Point Break, 1991. Directed by BIGELOW, K.: 20th Century Fox.
BROWN, J. 1993. Bullets, buddies, and bad guys: The ‘action-cop’ genre. Journal of Popular Film & Television, 21, 79-87.
DELEYTO, C. 2003. Between Friends: Love and Friendship in Contemporary Hollywood Romantic Comedy. Screen, 44, 167-182.
Lethal Weapon, 1987. Directed by DONNER, R.: Warner Bros. Pictures.
FELL, J. L. 1977. Vladimir Propp in Hollywood. Film Quarterly, 30, 19-28.
FUREDI, F. 2003. The children who won’t grow up [Online]. Available: http://www.frankfuredi.com/index.php/site/article/103/ [Accessed 10 March 2013 2013].
GILLESPIE, M. & TOYNBEE, J. 2006. Analysing media texts, New York, NY, USA, Open University Press in association with The Open University.
JEFFERS MCDONALD, T. 2009. Homme-Com: Engendering change in contemporary romantic comedy. In: ABBOTT, S. & JERMYN, D. (eds.) Falling in Love Again: Romantic Comedy in Contemporary Cinema. London: I.B.Tauris.
Star Wars Prequel Trilogy, 1999/2002/2005. Directed by LUCAS, G.: 20th Century Fox.
MURPHY, T. P. 2008. The pivotal eighth function and the pivotal fourth character: resolving two discrepancies in Vladimir: Propp’s Morphology of the Folktale. Language and Literature, 17, 59-75.
Battlestar Galactica, 2004-2009. Directed by NBC TELEVISION. NBC Television.
PROPP, V. 1968. Excerpts from Morphology of the Folktale. Available: http://homes.di.unimi.it/~alberti/Mm10/doc/propp.pdf [Accessed 10 March 2013].
Unbreakable, 2000. Directed by SHYAMALAN, M. N.: Touchstone Pictures.
The Usual Suspects, 1995. Directed by SINGER, B.: Polygram Filmed Entertainment.
WAUGH, B. 1966. Structural Analysis in Literature and Folklore. Western Folklore, 25, 153-164.
Shaun of the Dead, 2004. Directed by WRIGHT, E.: Universal Pictures.
Hot Fuzz, 2007. Directed by WRIGHT, E.: Universal Studios.