Information Technology Security and Risk Management: Inductive Cases for Information Security is a compilation of cases that examine recent developments and issues that are relevant to IT security managers, risk assessment and management, and the broader topic of IT security in the 21st century. As the title indicates, the cases are written and analyzed inductively, which is to say that the authors allowed the cases to speak for themselves, and lead where they would, rather than approach the cases with presuppositions or assumptions regarding what the case should be "about". In other words, the authors were given broad discretion to interpret a case in the most interesting and relevant manner possible; any given case may be "about" many things, depending on the perspective adopted by the reader, and many different lessons may be learned. The inductive approach of these cases reflects the design philosophy of the advanced IT Security and Risk Management course we teach on the topic here at the University of Canterbury, where all discussions begin with the analysis of a specific case of interest and follow the most interesting and salient aspects of the case in evidence. In our course, the presentation, analysis, and discussion of a case are followed by a brief lecture to address the conceptual, theoretical, and scholarly dimensions arising from the case. The inductive approach to teaching and learning also comes with a huge advantage – the students seem to love it, and often express their appreciation for a fresh and engaging approach to learning the sometimes-highly-technical content of an IT security course. As instructors, we are also grateful for the break in the typical scripted "chalk-and-talk" of a university lecture afforded by the spontaneity of the inductive approach.
We were motivated to prepare this text because there seems to be no other book of cases dedicated to the topic of IT security and risk management, and because of our own success and satisfaction with inductive teaching and learning. We believe this book would be useful either for an inductive, case-based course like our own or as a body of cases to be discussed in a more traditional course with a deductive approach. There are abstracts and keywords for each case, which would help instructors select cases for discussions on specific topics, and PowerPoint slides are available as a guide for discussion about a given case.
Table of Contents:
SECTION 1. TECHNICAL CASES, TEACHING CASES, 1.1. Data Breach at Nintendo Co. Ltd.: 300,000 Nintendo Users Hacked, 1.2. Target Corporation, 1.3. Case Study: Cyber-attack on Ukrainian Power Grid, 1.4. Capital One Data Breach, 1.5. LinkedIn Data Hack, 1.6. Zoombombing: A Technical Perspective, 1.7. Case Study: Ransomware Attack on IT Firm Collabera, 1.8. Neuralink: A Neural Technology Company, 1.9. Securing the Internet of Things, RESEARCH CASES, 1.10. Connected Vehicles: An Era of Communications Technologies, Cybersecurity, and Innovation, 1.11. SilverPush: A Case of Convenience versus Privacy, SECTION 2. BEHAVIORAL AND SOCIAL CASES, TEACHING CASES, 2.1. Microsoft 365 Phishing Case, 2.2. Internet of Things Security: Trend Micro Experiment, 2.3. 2014 Cyber-attack on eBay Case Study Analysis, 2.4. Internal Revenue Service Scams, 2.5. International Student Scams, 2.6. Security and Privacy Risk with Social Robotics, 2.7. Financial Fraud (IS System Controls) at NCL Ltd, 2.8. When You Can’t Believe What You See or Hear, 2.9. Robots: Attack Vectors and Safeguards, 2.10. Ransomware: Hollywood Presbyterian Medical Center, 2.11. Fast Food Phishing: Cyber Espionage, 2.12. Workplace Robots, RESEARCH CASES, 2.13. Facial Recognition: Legal, Ethical, and Cultural Concerns, 2.14. Aadhaar: The National Identity System of India, SECTION 3. PROCESS CASES, TEACHING CASES, 3.1. NHS: COVID-19 Research Ethics and Governance, 3.2. Marriot Data Breach: A Case Study Analysis, 3.3. ChoicePoint, 3.4. TJX, 3.5. Case Study: A Data Breach on Flipboard, 3.6. What Happens in Vegas: Breach of Data Confidentiality, 3.7. PIH Health Phishing, 3.8. Biometric Protection and Security: A Case Study on Clearview AI, 3.9. Zoombombing: A Business Process Perspective, 3.10. Security in the Healthcare Sector, 3.11. eBay Hack, 3.12. Using AI to Maintain Security of Healthcare Systems, RESEARCH CASES, 3.13. Digital Identity Theft Using Deepfakes
About the Author :
Steven Wingreen is an Associate Professor of Information Systems and Decision Sciences at the University of Canterbury in Christchurch, New Zealand. Prior to his academic career, he was a manager of networks and telecommunications whose responsibilities included network security. He has taught IT security and risk management over the span of his 23-year teaching career at multiple universities, both as a component of more comprehensive courses and as its own course. His current research agenda on the topic of emerging technologies in 21st century commerce includes a project with multiple papers about information privacy, trust, and ethical concerns in the context of advanced emerging technologies.
