Information involved in education and research, particularly in universities, could certainly be at risk. Universities already hold a lot of private information about students, such as their SSN, financial data, and contact information. Information leaks would be devastating, but it could be even more severe depending on the kind of institution. If a private, research university were targeted, that could be damaging in terms of the financial risk or even in terms of intellectual material. It is difficult to separate what information should stay off the grid in this regard, as managing information on this scale needs to maintain a balance between ease of access and security. For more high-risk research material/intellectual property, there could be a balance in keeping that information off the main network and on a smaller, secure network. This would help prevent that material from being damaged in a larger attack on the main network. I would prioritize highly-sensitive information, such as a person’s SSN or visa information, to be carefully guarded above other things, as that information can give an intruder a larger access to personal information.
This case study reminded me of JHU APL (Johns Hopkins University Applied Physics Lab), a university affiliated research lab. There are a variety of classified projects there, with a good number having governmental ties to the DoD and NASA. While the lab faces constant minor attacks and has a robust system to prevent large ones, there have been a few lab-wide shutdowns due to security breaches. In situations like this, it would be best to keep documentation on weapons (nuclear or otherwise) off the larger network as much as possible. At the moment, worker logins/access to information continues to be guarded with various authentication systems, and those should continue to be guarded as they would be the easiest points of entry.
As for the example of Sara speaking in the case study, the conversation might have just stalled at the suggestion for an increase in budget for new security systems. Seeing that the other members of the meeting hesitated to speak after Frank’s suggestion gave the impression that they might have been afraid to speak up against someone higher up in the chain of command, or someone who was more specialized in the problem than they were. In a situation like this, it is difficult to speak up when you think you aren’t the person for the task. If she stayed quiet, there likely wouldn’t have been the suggestion to turn away from more technology. Since Chad was the one who pushed for the digital changes, it would have been more likely that someone suggested more technology, as in Frank’s case. If the CEO ignored her, that might have prevented any suggestions about going more off-grid from other people. Sara challenged assumptions on several fronts, mainly a) that she couldn’t make valid suggestions since she didn’t work near the information security division, b) she couldn’t speak as deputy to the COO, being of lesser status than both him and the CEO, and c) being potentially less knowledgeable than her peers (where some were mentioned to be engineers). It was important that she challenged these and that her point was explored further, because it showed that a potential solution didn’t need to come from the most “experienced” or “qualified” person in the room. It showed that unexpected solutions can come from unexpected sources, and hopefully it would encourage others to contribute down the road.
