%PDF-1.4 % 14 0 obj <>stream /Artifact <>BDC q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS2 gs BT /F3 1 Tf 7 0 0 7 490.9714 23.0228 Tm 0 0 0 1 k 0 Tc 0 Tw [(ISA)5.4(CA JOURN)-8.8(AL)]TJ ET /GS3 gs BT 7 0 0 7 543.321 23.0228 Tm .21 1 .72 .12 k [( V)6.4(OL 6)]TJ ET EMC /Artifact <>BDC BT 7 0 0 7 585.4174 23.0228 Tm (15)Tj ET EMC /Artifact <>BDC /GS2 gs BT 9 0 0 9 35.9471 611.5177 Tm 0 0 0 1 k -.005 Tc (As a discipline, information security has come a )Tj 0 -1.3333 TD [(long wa)7.3(y)52.3(.)0( Security pr)19.5(actices ha)7.3(v)6.4(e)0( become mor)9.3(e )]TJ T* [(sophisticated o)7.3(v)6.4(er time, and the tr)19.5(aditionally )]TJ T* [(emphasiz)7.8(ed domains, such as physical security)52.3(, )]TJ T* [(appear t)9.8(o)0( be well under contr)9.8(ol or perhaps their )]TJ T* [(impor)-24.4(tance has declined due t)9.8(o)0( the vir)-24.4(tualization of )]TJ T* [(t)9.8(oda)7.3(y)-7.3()54.7(s information systems. Fifty y)6.4(ears ago, )]TJ T* [(information systems had r)9.3(ecognizable boundaries )]TJ T* [(and it was easy t)9.8(o)0( determine if the moats wer)9.3(e lled )]TJ T* [(with water and the bridges wer)9.3(e pulled up t)9.8(o)0( secur)9.3(e )]TJ T* [(the castle. Not so anymor)9.3(e. )]TJ 0 -22.6667 TD [(Information security o)7.3(v)6.4(er the past f)11.7(ew decades has )]TJ 0 -1.3333 TD [(struggled on shifting gr)9.8(ound. P)6.4(ersonal computers, )]TJ T* [(networks, the Internet, big data and ar)-24.4(ticial )]TJ T* [(intelligence \(AI\) ar)9.3(e some of the pr)9.8(ogr)9.3(essiv)6.4(e )]TJ T* [(de)6.4(v)6.4(elopments that ha)7.3(v)6.4(e)0( k)9.8(ept information security )]TJ T* [(tipt)9.8(oeing ar)9.8(ound numer)9.8(ous unpr)9.3(ecedented )]TJ T* [(challenges. Demands fr)9.8(om new gener)19.5(ations of )]TJ T* [(users, as in the uses of smar)-24.4(tphones, and a shift )]TJ T* [(t)9.8(owar)9.3(d gr)9.3(eater eciencyas in cloud sour)9.3(cing)]TJ T* [(ha)7.3(v)6.4(e)0( pushed systems t)9.8(o)0( do mor)9.3(e and with quick)9.8(er )]TJ T* [(turnar)9.8(ounds. Society is mo)7.3(ving t)9.8(owar)9.3(d paperless )]TJ T* (communication. Documents such as checks, bank )Tj T* [(statements, annual r)9.3(epor)-24.4(ts and pr)9.8(o)10.3(xy statements )]TJ T* [(ar)9.3(e no longer physically visible; instead, most )]TJ T* [(documents ar)9.3(e deliv)6.4(er)9.3(ed thr)9.8(ough the web. Lik)9.8(e it or )]TJ T* [(not, the new mode of work and lif)11.7(e is taking hold. Of )]TJ T* [(the thr)9.3(ee information systems objectiv)6.4(es)]TJ T* [(functionality)52.3(, a)7.3(v)7.3(ailability and securitya)7.3(v)7.3(ailability )]TJ T* [(has gained consider)19.5(able gr)9.8(ound. In the past, if a )]TJ ET EMC /Artifact <>BDC BT 9 0 0 9 254.4471 611.5182 Tm [(system was not a)7.3(v)7.3(ailable for some time, only a f)11.7(e)0(w )]TJ T* [(users might be aff)11.7(ected. Now)60.6(, in the connected )]TJ T* [(world, most systems ar)9.3(e expected t)9.8(o)0( be accessible )]TJ T* (almost all the time. )Tj 0 -2.6667 TD [(The new gener)19.5(ation of network)9.8(ed and wir)9.3(eless )]TJ 0 -1.3333 TD [(systems means gr)9.3(eater risk, whether users ar)9.3(e )]TJ T* [(awar)9.3(e of it or not. But security solutions for new )]TJ T* [(scenarios ar)9.3(e not easy)52.3(. )19.5(The)6.4(y r)9.3(equir)9.3(e cr)9.3(eativity and )]TJ T* [(inno)7.3(v)7.3(ation back)9.8(ed b)5.4(y)0( r)9.3(esear)9.3(ch in security )]TJ T* [(technology t)9.8(o)0( meet challenges of new known )]TJ T* [(vulner)19.5(abilities and unidentied blind spots. And y)6.4(et, )]TJ T* [(the for)9.3(emost pr)9.3(essur)9.3(e on security solutions is in )]TJ T* [(k)9.8(eeping the costs of security low while not )]TJ T* [(jeopar)9.3(dizing system a)7.3(v)7.3(ailability and functionality)52.3(. )]TJ T* [(Wher)9.3(eas e)6.4(v)6.4(e)0(r)-8.8(y)0( security solution r)9.3(equir)9.3(es deep )]TJ T* [(insights and gr)19.5(anular work, we need t)9.8(o)0( r)9.3(emind )]TJ T* [(ourselv)6.4(es that ther)9.3(e ar)9.3(e se)6.4(v)6.4(e)0(r)19.5(al constantsI call )]TJ T* [(them pr)9.8(opositionsin the pr)19.5(actice of information )]TJ T* [(security)52.3(. Only a r)9.3(eminder ma)7.3(y be warr)19.5(anted, for )]TJ T* [(these ha)7.3(v)6.4(e)0( existed for as long as information )]TJ T* [(systems ha)7.3(v)6.4(e)0( been ar)9.8(ound. )]TJ ET /GS3 gs BT /F5 1 Tf 11 0 0 11 254.4471 333.5182 Tm .9 .53 .1 0 k [(Pr)17.6(oposition 1: Accountability for Security )]TJ 0 -1.2727 TD [(Solutions Cannot Be Outsour)9.3(ced )]TJ ET /GS2 gs BT /F3 1 Tf 9 0 0 9 254.4471 301.5182 Tm 0 0 0 1 k -.02 Tc [(Time and again, we ha)7.3(v)6.4(e)0( been t)9.8(old that the ultimate )]TJ 0 -1.3333 TD [(r)9.3(esponsibility for security r)9.3(ests with the entity that )]TJ T* [(owns or contr)9.8(ols the system. )19.5(Thir)9.3(d par)-24.4(ties ar)9.3(e )]TJ T* [(essential in the lif)11.7(e of an entity)52.3(, but the choice of )]TJ T* (engaging them comes with the obligation of )Tj T* [(managing risk and vulner)19.5(abilities that thir)9.3(d par)-24.4(ties )]TJ T* [(knowingly or other)-8.3(wise bring t)9.8(o)0( the entity)52.3(.)]TJ 5.4 0 0 5.4 412.4918 232.218 Tm 0 Tc (1)Tj 9 0 0 9 415.3441 229.5182 Tm -.02 Tc ( Whether it )Tj -17.8774 -1.3333 TD [(is electricity pur)9.3(chased fr)9.8(om a local utility or cloud )]TJ T* [(ser)-8.8(vices fr)9.8(om a global leader in cloud solutions, the )]TJ T* [(issue r)9.3(emains the same. Is y)7.3(our enterprise saf)11.7(e? )19.5(The )]TJ T* [(answer is best determined b)5.4(y)0( y)7.3(ou only; for others see )]TJ T* [(only par)-24.4(t of the puzzle, the missing or vulner)19.5(able )]TJ ET EMC /Artifact <>BDC /GS3 gs BT /F2 1 Tf 30 0 0 30 35.9471 657.2889 Tm .21 1 .72 .12 k (Some Security-Related Reminders)Tj ET EMC /Artifact <>BDC .9 .53 .1 0 k 253.309 67.5 349.751 84.421 re f EMC /P <>BDC BT /F5 1 Tf 11 0 0 11 266.4707 133.9014 Tm 0 0 0 0 k [(V)22.5(asant Ra)7.3(v)7.3(al,)]TJ ET EMC /P <>BDC BT /F3 1 Tf 11 0 0 11 330.4383 133.9014 Tm [( DBA, CISA, A)5.4(C)0(M)-8.8(A)0( )]TJ ET EMC /P <>BDC BT 9 0 0 9 266.4707 123.1013 Tm 0 Tc [(Is emeritus pr)9.8(of)11.7(essor of accountancy at Cr)9.3(eight)9.8(on Univ)6.4(ersity \(Omaha,)]TJ ET EMC /P <>BDC BT 9 0 0 9 543.7262 123.1013 Tm ( )Tj ET EMC /P <>BDC BT 9 0 0 9 266.4707 112.3014 Tm [(Nebr)19.5(aska, USA\). )19.5(The coauthor of two books on information systems and)]TJ ET EMC /P <>BDC BT 9 0 0 9 554.7345 112.3014 Tm ( )Tj ET EMC /P <>BDC BT 9 0 0 9 266.4707 101.5013 Tm [(security)52.3(, his ar)9.3(eas of teaching and r)9.3(esear)9.3(ch inter)9.3(est include nancial fr)19.6(aud,)]TJ ET EMC /P <>BDC BT 9 0 0 9 563.3258 101.5013 Tm ( )Tj ET EMC /P <>BDC BT 9 0 0 9 266.4707 90.7014 Tm [(information security and corpor)19.5(ate go)7.3(v)6.4(ernance. He can be r)9.3(eached at)]TJ ET EMC /P <>BDC BT 9 0 0 9 542.4254 90.7014 Tm ( )Tj ET EMC /P <>BDC BT 9 0 0 9 266.4707 79.9014 Tm [(vr)19.6(a)7.3(v)7.3(al@cr)9.3(eight)9.8(on.edu.)]TJ ET EMC /Artifact <>BDC .9 .53 .1 0 k 472.23 459.092 130.83 159.176 re f EMC /Artifact <>BDC BT /F6 1 Tf 11 0 0 11 480.5228 610.0177 Tm 0 0 0 0 k ( )Tj 0 -1.5154 TD [(Do y)7.3(ou ha)7.3(v)6.4(e)0( )]TJ 0 -1 TD (something )Tj T* [(t)14.7(o)0( sa)7.3(y about this )]TJ T* [(ar)-24.4(ticle? )]TJ /F3 1 Tf 9 0 0 9 480.5228 543.6791 Tm (Visit the )Tj /F4 1 Tf 3.8662 0 TD (Journal)Tj /F3 1 Tf 3.2837 0 TD ( pages )Tj -7.1499 -1.2222 TD [(of the ISA)5.4(CA)]TJ 5.4 0 0 5.4 531.2401 535.6492 Tm ()Tj 9 0 0 9 535.4852 532.6791 Tm ( website )Tj /F4 1 Tf -6.1069 -1.2222 TD [(\(www)60.6(.isaca.or)9.3(g/journal\))]TJ /F3 1 Tf 10.4795 0 TD (, )Tj -10.4795 -1.2222 TD [(nd the ar)-24.4(ticle and click )]TJ T* [(on the Comments link t)9.8(o)0( )]TJ T* [(shar)9.3(e y)7.3(our thoughts. )]TJ /F7 1 Tf .035 .455 .7 .007 k 0 -1.8299 TD [(https:/)121.1(/bit.ly/2mqH1UG)]TJ ET EMC /Artifact <>BDC 0 0 0 1 K 0 J 0 j .75 w 10 M [] 0 d /GS2 gs q 1 0 0 1 572.622 31.289 cm 0 0 m 0 -39.376 l S Q EMC /Artifact <>BDC 0 0 0 0 k /GS3 gs 503.532 697.023 69.395 49.977 re f EMC /Artifact <>BDC Q q 1 i 503.532 747 128.533 -49.977 re W n 503.532 747 69.395 -49.977 re W* n 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS3 gs BT /F8 1 Tf 9 0 0 9 535.8536 722.3594 Tm .90588 .52157 .094118 0 k .0243 Tc 0 Tw (THE)Tj -3.5913 -1.2 TD .0239 Tc (PRACTICAL)Tj 1.6687 -1.2 TD (ASPECT)Tj ET Q q 1 i 503.532 747 128.5 -49.852 re W n 503.532 747 128.533 -49.977 re W n 503.532 747 69.395 -49.977 re W* n 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n .90588 .52157 .094118 0 k /GS3 gs q 1 0 0 1 567.238 747 cm 0 0 m -54.884 0 l -54.884 -9.375 l -9.945 -9.375 l -9.945 -49.977 l 0 -49.977 l 0 0 l f Q EMC /Artifact <>BDC Q q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n .902 .529 .102 0 k /GS3 gs 35.947 305.192 205.5 175.385 re f EMC /Artifact <>BDC BT /F3 1 Tf 14 0 0 14 69.1932 455.1044 Tm 0 0 0 0 k .0351 Tc -.0175 Tw [(THE)17.5( FOREMOST)37.1( )]TJ -1.7143 -1.2857 TD [(PRESSURE)17.5( ON)17.5( SECURI)14.1(T)-7.8(Y)17.5( )]TJ T* [(SOL)26.3(UTIONS)17.5( IS)17.5( IN)17.5( KEEPING)17.5( )]TJ T* [(THE)17.5( COST)7.8(S)17.5( OF)17.5( SECURI)14.1(T)-7.8(Y)17.5( )]TJ T* [(L)31.7(O)0(W)17.6( WHILE)17.5( NO)13.2(T)37.1( )]TJ T* [(JEOP)67.3(ARDIZING)17.6( SY)7.8(STEM)17.5( )]TJ T* [(A)42.4(V)36.6(AIL)-9.3(ABILI)14.1(T)-7.8(Y)17.5( AND)17.5( )]TJ T* 0 Tw [(FUNC)14.1(TION)-8.8(ALI)14.1(T)-7.8(Y)120.6(.)35.1( )]TJ ET EMC /Artifact <>BDC Q q 1 i 161.946 334.834 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 180.05 324.546 cm 0 0 m -.099 -2.881 -.579 -5.075 -1.441 -6.582 c -2.301 -8.089 -3.643 -9.223 -5.464 -9.985 c -3.279 -13.462 l -.265 -12.104 1.937 -10.101 3.328 -7.452 c 4.389 -5.464 4.918 -2.252 4.918 2.186 c 4.918 10.382 l -4.67 10.382 l -4.67 0 l 0 0 l h -12.64 0 m -12.739 -2.881 -13.219 -5.075 -14.081 -6.582 c -14.941 -8.089 -16.283 -9.223 -18.104 -9.985 c -15.919 -13.462 l -12.905 -12.104 -10.703 -10.101 -9.312 -7.452 c -8.251 -5.464 -7.722 -2.252 -7.722 2.186 c -7.722 10.382 l -17.31 10.382 l -17.31 0 l -12.64 0 l f Q EMC /Artifact <>BDC Q q 1 i 42.14 476.432 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 47.058 463.064 cm 0 0 m .099 2.881 .579 5.075 1.441 6.582 c 2.301 8.089 3.643 9.223 5.464 9.985 c 3.279 13.462 l .265 12.104 -1.937 10.101 -3.328 7.452 c -4.389 5.464 -4.918 2.252 -4.918 -2.186 c -4.918 -10.382 l 4.67 -10.382 l 4.67 0 l 0 0 l h 12.64 0 m 12.739 2.881 13.219 5.075 14.081 6.582 c 14.941 8.089 16.283 9.223 18.104 9.985 c 15.919 13.462 l 12.905 12.104 10.703 10.101 9.312 7.452 c 8.251 5.464 7.722 2.252 7.722 -2.186 c 7.722 -10.382 l 17.31 -10.382 l 17.31 0 l 12.64 0 l f Q EMC Q endstream endobj 15 0 obj <>/ExtGState<>>> endobj 30 0 obj <>stream /Artifact <>BDC q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS2 gs BT /F3 1 Tf 7 0 0 7 39.4019 23.0548 Tm 0 0 0 1 k 0 Tc 0 Tw [(ISA)5.4(CA JOURN)-8.8(AL)]TJ ET /GS3 gs BT 7 0 0 7 91.7515 23.0548 Tm .21 1 .72 .12 k [( V)6.4(OL 6)]TJ ET EMC /Artifact <>BDC BT 7 0 0 7 10.8984 23.0548 Tm (16)Tj ET EMC /Artifact <>BDC /GS2 gs BT 9 0 0 9 143.9471 643.5065 Tm 0 0 0 1 k -.02 Tc [(pieces ar)9.3(e y)7.3(our concern. Whether it is a cust)9.8(omer or a )]TJ 0 -1.3333 TD [(v)6.4(endor who pr)9.8(o)7.3(vides ser)-8.8(vices or supplies, their )]TJ T* (association with the entity is bonded in what data )Tj T* [(the)6.4(y shar)9.3(e and how the)6.4(y shar)9.3(e and what access )]TJ T* [(rights ar)9.3(e gr)19.5(anted t)9.8(o)0( them. In the healthcar)9.3(e industr)-8.8(y)52.3(,)-.1( )]TJ T* [(for example, patient data ar)9.3(e accessible t)9.8(o)0( patients, )]TJ T* [(medical insur)19.5(ance pr)9.8(o)7.3(viders, physicians and hospital )]TJ T* [(administr)19.5(at)9.8(ors. )19.5(These include data gener)19.5(ated )]TJ T* [(thr)9.8(oughout the entir)9.3(e pr)9.8(ocess, fr)9.8(om making an )]TJ T* [(appointment with a physician t)9.8(o)0( sharing r)9.3(esults of )]TJ T* [(tests t)9.8(o)0( diagnosis and tr)9.3(eatment of the disease. )]TJ T* [(Managing r)9.3(elationships inter)-24.4(twined with vir)-24.4(tual )]TJ T* [(access t)9.8(o)0( all inv)7.3(olv)6.4(ed in pr)9.8(o)7.3(viding healthcar)9.3(e)]TJ T* (including those who work in patient billingis )Tj T* [(impor)-24.4(tant, and security questions should be )]TJ T* [(addr)9.3(essed among other aspir)19.5(ations r)9.3(egar)9.3(ding the )]TJ T* [(inter)9.3(connected system. )]TJ 0 -2.6667 TD -.005 Tc [(The security obligation cannot be fullled b)5.4(y)0( mer)9.3(ely )]TJ 0 -1.3333 TD [(outsour)9.3(cing security ser)-8.8(vices. Outsour)9.3(cing a )]TJ T* [(security ser)-8.8(vice does not mean that the entity can )]TJ T* [(tr)19.5(ansf)11.7(er the r)9.3(esponsibility of being secur)9.3(e t)9.8(o)0( any)7.3(one )]TJ T* [(else; that r)9.3(esponsibility still r)9.3(emains with the entity)52.3(. )]TJ T* [(In structuring such outsour)9.3(cing arr)19.5(angements, it is )]TJ T* [(extr)9.3(emely impor)-24.4(tant t)9.8(o)0( addr)9.3(ess all aspects of )]TJ T* [(security)52.3(, without compr)9.8(omise, t)9.8(o)0( lower the chances )]TJ T* [(of a br)9.3(each. One can be blindsided b)5.4(y)0( the comfor)-24.4(t )]TJ T* [(with and assur)19.5(ance fr)9.8(om ser)-8.8(vice pr)9.8(o)7.3(viders, many of )]TJ T* [(whom ar)9.3(e formidable enterprises with solid )]TJ T* [(r)9.3(eputations for helping their cust)9.8(omers sta)7.3(y secur)9.3(e. )]TJ T* [(Howe)6.4(v)6.4(e)0(r)60.1(,)0( a misstep on the cust)9.8(omer)-7.8()54.7(s)0( par)-24.4(t ma)7.3(y be )]TJ T* [(as simple as not pr)9.8(operly conguring the r)9.3(ewall )]TJ T* [(that guar)9.3(ds their data r)9.3(esiding with the pr)9.8(o)7.3(vider)60.1(. No )]TJ T* [(matter wher)9.3(e the data and the information )]TJ T* [(pr)9.8(ocesses go, the enterprise that owns them must )]TJ T* [(tak)9.8(e char)9.3(ge of pr)9.8(o)7.3(viding satisfact)9.8(or)-8.8(y security of )]TJ T* [(such r)9.3(esour)9.3(ces. )]TJ 0 -2.6667 TD [(It is quite lik)9.8(ely that the or)9.3(ganization depends on )]TJ 0 -1.3333 TD [(others t)9.8(o)0( deliv)6.4(er some security solutions, as in the )]TJ T* [(case of a cloud ser)-8.8(vice pr)9.8(o)7.3(vider \(CSP\) that assists )]TJ T* [(with pr)9.8(otecting the cust)9.8(omer)-7.8()54.7(s)0( data. F)16.6(arming out )]TJ T* (security solutions is not the same thing as )Tj T* [(deliv)6.4(ering the o)7.3(v)6.4(er)19.5(ar)9.3(ching r)9.3(esponsibility of risk )]TJ T* (management. An in-depth understanding of what it )Tj T* [(is, how it is structur)9.3(ed and whether it mitigates the )]TJ T* [(entity)-7.3()54.7(s)0( full risk spectrumthese ar)9.3(e impor)-24.4(tant )]TJ T* [(questions that only the or)9.3(ganization that is )]TJ T* [(r)9.3(esponsible can addr)9.3(ess. )]TJ ET EMC /Artifact <>BDC /GS3 gs BT /F5 1 Tf 11 0 0 11 362.4471 642.0065 Tm .9 .53 .1 0 k [(Pr)17.6(oposition 2: Most Security Solutions )]TJ 0 -1.2727 TD [(Ar)9.3(e Not Guar)14.7(anteed t)14.7(o)0( Be F)10.3(oolpr)17.6(oof )]TJ ET /GS2 gs BT /F3 1 Tf 9 0 0 9 362.4471 430.0065 Tm 0 0 0 1 k [(In a r)9.3(ecent inter)-8.8(view)60.6(, K)12.7(e)6.4(vin Mitnick, a formidable )]TJ 0 -1.3333 TD [(hack)9.8(er turned white hat, said that he has ne)6.4(v)6.4(e)0(r )]TJ T* [(encounter)9.3(ed a system he could not inltr)19.5(ate.)]TJ 5.4 0 0 5.4 537.8137 408.7064 Tm 0 Tc (2)Tj 9 0 0 9 540.8009 406.0065 Tm -.005 Tc ( While )Tj -19.8171 -1.3333 TD [(security measur)9.3(es ma)7.3(y seem formidable, as )]TJ T* [(designed, not all of them ar)9.3(e infallible. In arriving at )]TJ T* [(a r)9.3(easonable security solution, de)6.4(v)6.4(elopers ma)7.3(y ha)7.3(v)6.4(e)-.1( )]TJ T* [(had t)9.8(o)0( balance system functionality and a)7.3(v)7.3(ailability )]TJ T* [(against system security)52.3(, and this could r)9.3(esult in a )]TJ T* [(less than foolpr)9.8(oof solution. )19.5(The omission of mor)9.3(e )]TJ T* [(rigor)9.8(ous security measur)9.3(es, or just not ha)7.3(ving )]TJ T* [(thought of a risk and, ther)9.3(efor)9.3(e, its mitigation, would )]TJ T* [(r)9.3(esult in gaps. Gener)19.5(ally)52.3(, it is har)9.3(d t)9.8(o)0( claim that any )]TJ T* [(piece of softwar)9.3(e with div)6.4(erse users is saf)11.7(e fr)9.8(om )]TJ T* [(vulner)19.5(abilities. Besides, mer)9.3(e length and complexity )]TJ T* [(of softwar)9.3(e could be a fact)9.8(or in knowing condently )]TJ T* [(how well the gr)9.8(ound is co)7.3(v)6.4(e)0(r)9.3(ed. Windows Oper)19.5(ating )]TJ T* [(System, for example, has appr)9.8(o)10.3(ximately 50 million )]TJ T* [(lines of code \(L)31.7(OC)12.7(\). Although L)31.7(OC is not a )]TJ T* [(compr)9.3(ehensiv)6.4(e measur)9.3(e of softwar)9.3(e complexity)52.3(, )]TJ T* [(when combined with the natur)9.3(e of softwar)9.3(e )]TJ T* [(structur)9.3(e, the siz)7.8(e of the softwar)9.3(e engineering team )]TJ T* [(and the turno)7.4(v)6.4(er among team members, it would )]TJ T* [(pr)9.8(o)7.3(vide some understanding of risk scenarios )]TJ T* [(inv)7.3(olv)6.4(ed. It is, ther)9.3(efor)9.3(e, wise t)9.8(o)0( follow def)11.7(ense-in-)]TJ T* [(depth pr)19.5(actices, with la)7.3(y)6.4(e)0(r)9.3(ed contr)9.8(ols t)9.8(o)0( a)7.3(v)7.3(oid a )]TJ T* [(single point of failur)9.3(e. )]TJ 0 -2.6667 TD -.02 Tc [(The r)9.3(ecent data theft fr)9.8(om Capital One Financial )]TJ 0 -1.3333 TD [(pr)9.8(o)7.3(vides an example. A v)6.4(eter)19.5(an of the US f)11.7(eder)19.5(al )]TJ T* [(go)7.3(v)6.4(ernment, the curr)9.3(ent chief information security )]TJ T* [(ocer \(CISO\) joined the or)9.3(ganization in 2017. An )]TJ ET EMC /Artifact <>BDC 0 0 0 1 K 0 J 0 j .75 w 10 M [] 0 d q 1 0 0 1 30.327 31.531 cm 0 0 m 0 -39.377 l S Q EMC /Artifact <>BDC .902 .529 .102 0 k /GS3 gs 362.447 453 205.5 157.14 re f EMC /Artifact <>BDC BT 14 0 0 14 395.6932 584.6672 Tm 0 0 0 0 k .0351 Tc -.0175 Tw [(F)83(ARMING)17.6( OUT)37.1( )]TJ -1.7143 -1.2857 TD [(SECURI)14.1(T)-7.8(Y)17.5( SOL)26.3(UTIONS)17.5( IS)17.5( )]TJ T* -.0371 Tw [(NO)13.2(T)37.1( THE)17.5( )-19.6(SAME)17.5( THING)17.5( )-19.6(AS)17.5( )]TJ T* [(DELIVERING)17.5( THE)17.5( )]TJ T* 0 Tw [(O)10.7(VERARCHING)17.5( )]TJ T* -.0175 Tw [(RESPONSIBILI)14.1(T)-7.8(Y)17.5( OF)17.5( RISK)17.5( )]TJ T* 0 Tw [(M)-8.8(A)0(N)-8.8(A)5.3(GEMEN)14.1(T)124(.)]TJ ET EMC /Artifact <>BDC Q q 1 i 477.364 482.126 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 495.468 471.838 cm 0 0 m -.099 -2.881 -.579 -5.075 -1.441 -6.582 c -2.301 -8.089 -3.643 -9.223 -5.464 -9.985 c -3.279 -13.462 l -.265 -12.104 1.937 -10.101 3.328 -7.452 c 4.389 -5.464 4.918 -2.252 4.918 2.186 c 4.918 10.382 l -4.67 10.382 l -4.67 0 l 0 0 l h -12.64 0 m -12.739 -2.881 -13.219 -5.075 -14.081 -6.582 c -14.941 -8.089 -16.283 -9.223 -18.104 -9.985 c -15.919 -13.462 l -12.905 -12.104 -10.703 -10.101 -9.312 -7.452 c -8.251 -5.464 -7.722 -2.252 -7.722 2.186 c -7.722 10.382 l -17.31 10.382 l -17.31 0 l -12.64 0 l f Q EMC /Artifact <>BDC Q q 1 i 368.64 605.995 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 373.558 592.627 cm 0 0 m .099 2.881 .579 5.075 1.441 6.582 c 2.301 8.089 3.643 9.223 5.464 9.985 c 3.279 13.462 l .265 12.104 -1.937 10.101 -3.328 7.452 c -4.389 5.464 -4.918 2.252 -4.918 -2.186 c -4.918 -10.382 l 4.67 -10.382 l 4.67 0 l 0 0 l h 12.64 0 m 12.739 2.881 13.219 5.075 14.081 6.582 c 14.941 8.089 16.283 9.223 18.104 9.985 c 15.919 13.462 l 12.905 12.104 10.703 10.101 9.312 7.452 c 8.251 5.464 7.722 2.252 7.722 -2.186 c 7.722 -10.382 l 17.31 -10.382 l 17.31 0 l 12.64 0 l f Q EMC /Artifact <>BDC Q q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n .21 1 .72 .12 k /GS3 gs .059998 325.937 127.887 324.319 re f EMC /Artifact <>BDC Q q 1 i -58.565 327.132 272.018 -172.676 re W n -16.052 325.937 143.999 -128 re W* n 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS3 gs q 129.643 0 0 -129.431 -.55225 326.678 cm /Im2 Do Q EMC /Artifact <>BDC Q q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS3 gs BT /F5 1 Tf 13 0 0 13 34.1022 640.5065 Tm 0 0 0 0 k 0 Tc 0 Tw ( )Tj 0 -1 TD -.02 Tc [(Enjo)7.3(ying )]TJ T* [(this ar)-24.4(ticle? )]TJ T* 0 Tc ( )Tj /F9 1 Tf 10 0 0 10 34.1022 589.5065 Tm ()Tj /F6 1 Tf .639 0 TD -.02 Tc ( Read )Tj /F1 1 Tf 2.8732 0 TD (State of )Tj -2.4247 -1.2 TD (Cybersecurity )Tj T* [(2019, P)5.4(a)0(r)-24.4(t)0( 2: )]TJ T* -.0293 Tw [(Curr)9.3(ent T)31.8(r)9.3(ends )-29.3( )]TJ T* 0 Tw [(in A)8.3(ttacks, )]TJ T* [(A)16.1(war)9.3(eness and )]TJ T* [(Go)7.3(v)6.4(ernance. )]TJ T* [(https:/)121.1(/www)60.6(. )]TJ T* [(isaca.or)9.3(g/info/ )]TJ T* (state-of- )Tj T* (cybersecurity-)Tj T* (2019)Tj /F6 1 Tf 2.1446 0 TD 0 Tc ( )Tj /F9 1 Tf -3.2321 -1.2 TD ()Tj /F6 1 Tf .639 0 TD -.02 Tc [( Learn mor)9.3(e )]TJ .4485 -1.2 TD (about, discuss )Tj T* [(and collabor)14.7(ate )]TJ T* (on information )Tj T* (and cybersecurity )Tj T* [(in ISA)10.3(CA)58.6()113.3(s)0( Online )]TJ T* [(F)10.3(orums. )]TJ /F1 1 Tf T* [(https:/)121.1(/engage. )]TJ T* [(isaca.or)9.3(g/ )]TJ T* (onlineforums)Tj ET EMC Q endstream endobj 31 0 obj <>/XObject<>/ExtGState<>>> endobj 36 0 obj <>stream /Artifact <>BDC q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS2 gs BT /F3 1 Tf 7 0 0 7 490.9714 23.0228 Tm 0 0 0 1 k 0 Tc 0 Tw [(ISA)5.4(CA JOURN)-8.8(AL)]TJ ET /GS3 gs BT 7 0 0 7 543.321 23.0228 Tm .21 1 .72 .12 k [( V)6.4(OL 6)]TJ ET EMC /Artifact <>BDC BT 7 0 0 7 585.4174 23.0228 Tm (17)Tj ET EMC /Artifact <>BDC /GS2 gs BT 9 0 0 9 36.9471 643.5065 Tm 0 0 0 1 k -.02 Tc [(impr)9.3(ession that he was unsuited t)9.8(o)0( the priv)7.3(ate sect)9.8(or )]TJ 0 -1.3333 TD [(pr)9.3(e)6.4(v)7.3(ailed among those who work)9.8(ed with him. His )]TJ T* [(dir)9.3(ect r)9.3(epor)-24.4(ts depar)-24.4(ted and some of the )]TJ T* [(r)9.3(eplacements left, t)9.8(oo. E)12.7(v)6.4(en r)9.8(outine cybersecurity )]TJ T* [(measur)9.3(es, such as installing an acquir)9.3(ed softwar)9.3(e )]TJ T* [(that would help detect hacks, r)9.3(eceiv)6.4(ed little attention.)]TJ 5.4 0 0 5.4 238.8473 586.2064 Tm 0 Tc (3)Tj 9 0 0 9 241.6997 583.5065 Tm ( )Tj -22.7503 -1.3333 TD -.02 Tc [(Collectiv)6.4(ely)52.3(, it is the human side that f)11.7(ell apar)-24.4(t. )]TJ 0 -2.6667 TD [(A clear sign of the understanding that a softwar)9.3(e ma)7.3(y )]TJ 0 -1.3333 TD [(not be bulletpr)9.8(oof comes fr)9.8(om the r)9.3(enewed inter)9.3(est in )]TJ T* [(inviting external par)-24.4(ties \(i.e., r)9.3(esear)9.3(chers, hack)9.8(ers, )]TJ T* [(engineers\) t)9.8(o)0( locate vulner)19.5(abilities in the )]TJ T* [(or)9.3(ganization)39.1()54.7(s)0( code.)]TJ 5.4 0 0 5.4 112.9942 502.2064 Tm 0 Tc (4)Tj 9 0 0 9 115.8464 499.5065 Tm -.02 Tc [( )19.5(The or)9.3(ganization pr)9.8(o)7.3(vides )]TJ -8.7666 -1.3333 TD [(access t)9.8(o)0( the code and off)11.7(ers incentiv)6.4(es wher)9.3(ein the )]TJ T* [(siz)7.8(e of the r)9.3(ewar)9.3(d is aligned with the se)6.4(v)6.4(erity of the )]TJ T* [(vulner)19.5(ability identied. Inviting outsiders t)9.8(o)0( unear)-24.4(th )]TJ T* [(y)7.3(our softwar)9.3(e)39.1()54.7(s vulner)19.5(abilities is a risk, but the pa)7.3(y)7.3(off )]TJ T* [(could also be signicant. )19.5(The or)9.3(ganization ma)7.3(y not )]TJ T* [(ha)7.3(v)6.4(e)0( either the right skill set, knowledge of the )]TJ T* [(hack)9.8(ers motiv)6.4(es or t)9.8(ools, or sucient r)9.3(esour)9.3(ces t)9.8(o)-.1( )]TJ T* [(pursue such mo)7.3(v)6.4(es; only an outsider can do it. And )]TJ T* [(the cost is pr)9.8(opor)-24.4(tionate t)9.8(o)0( risk identied, so the )]TJ T* [(tactic is cost-eff)11.7(ectiv)6.4(e. Ultimately)52.3(, the v)7.3(alue of this )]TJ T* [(initiativ)6.4(e lies in how quickly the or)9.3(ganization acts on )]TJ T* [(the vulner)19.5(abilities disclosed. )]TJ ET /GS3 gs BT /F5 1 Tf 11 0 0 11 36.9471 329.5065 Tm .9 .53 .1 0 k -.005 Tc [(Pr)17.6(oposition 3: Humans Ar)9.3(e the Dominant )]TJ 0 -1.2727 TD [(Sour)9.3(ce of Security Compr)17.6(omises )]TJ ET /GS2 gs BT /F3 1 Tf 9 0 0 9 36.9471 297.5064 Tm 0 0 0 1 k [(No matter how str)9.8(ong the security measur)9.3(es, )]TJ 0 -1.3333 TD [(compr)9.8(omises inv)7.3(ariably happen. )19.5(T)48.4(echnology only )]TJ T* (facilitates, it is the humans who do the damage. )Tj T* [(Despite all the laws, r)9.3(egulations, codes of conduct, )]TJ T* [(enfor)9.3(cement actions and punishments, wr)9.8(ongdoing )]TJ T* [(has been ar)9.8(ound and will continue t)9.8(o)0( persist. If )]TJ T* [(anything, wr)9.8(ongdoing has been r)9.3(ecogniz)7.8(ed as a )]TJ T* [(norm r)19.5(ather than an ex)9.8(ception.)]TJ 5.4 0 0 5.4 157.8975 216.2064 Tm -.0083 Tc (5 )Tj 9 0 0 9 36.9471 189.5064 Tm -.02 Tc [(Human tendencies ar)9.3(e lik)9.8(e etchings on a coin; people )]TJ T* [(cannot change their char)19.5(acter easily)52.3(, at least in the )]TJ T* [(shor)-24.4(t run. Accor)9.3(ding t)9.8(o)0( one fr)19.5(aud model, a person)39.1()54.7(s)-.1( )]TJ T* [(dispositiontendencies, pr)9.8(opensities, habitsr)9.3(eects )]TJ T* [(the person)39.1()54.7(s)0( vir)-24.4(tues and, depending on the )]TJ T* [(disposition, the person ma)7.3(y be self-r)9.3(egar)9.3(ding or other-)]TJ T* [(r)9.3(egar)9.3(ding in natur)9.3(e. Inuential managers of )]TJ T* [(self-r)9.3(egar)9.3(ding natur)9.3(e ar)9.3(e mor)9.3(e vulner)19.5(able t)9.8(o)0( the )]TJ T* [(temptation of compr)9.8(omising their mor)19.5(al r)9.3(esolv)6.4(e. As a )]TJ T* [(r)9.3(esult, a self-r)9.3(egar)9.3(ding disposition can be consider)9.3(ed )]TJ T* [(a r)9.3(ed ag in detecting or pr)9.3(e)6.4(v)6.4(enting a crime.)]TJ 5.4 0 0 5.4 203.9176 72.2064 Tm -.0334 Tc (6 )Tj ET EMC /Artifact <>BDC BT 9 0 0 9 255.4471 446.25 Tm -.02 Tc [(E)12.7(v)6.4(en or)9.3(ganizations with unlimited r)9.3(esour)9.3(ces for )]TJ T* [(security ar)9.3(e still at the mer)9.3(cy of the weak)9.8(est link in )]TJ T* (their chainthe human element.)Tj 5.4 0 0 5.4 378.3505 424.95 Tm 0 Tc (7)Tj 9 0 0 9 381.2029 422.25 Tm -.02 Tc [( )19.5(The latest in the )]TJ -13.9729 -1.3333 TD [(exhibition of human fr)19.5(ailty is the case of Capital One )]TJ T* [(Financial. P)5.4(aige )19.5(Thompson, a former emplo)7.3(y)6.4(ee of )]TJ T* [(Amaz)7.8(on W)15.2(eb Ser)-8.8(vices, allegedly br)9.8(ok)9.8(e int)9.8(o a Capital )]TJ T* [(One r)9.3(ewall t)9.8(o)0( access data the bank had st)9.8(or)9.3(ed on )]TJ T* [(the Amaz)7.8(on cloud ser)-8.8(vice. )19.5(The data br)9.3(each aff)11.7(ected )]TJ T* [(106 million r)9.3(ecor)9.3(ds of car)9.3(d cust)9.8(omers and )]TJ T* (applicants.)Tj 5.4 0 0 5.4 297.3512 340.95 Tm 0 Tc (8)Tj 9 0 0 9 300.2034 338.25 Tm -.02 Tc [( In 2013, E)9.3(dwar)9.3(d Snowden leak)9.8(ed )]TJ -4.9729 -1.3333 TD [(classied information fr)9.8(om the US National Security )]TJ T* [(Agency \(NSA\). While these ar)9.3(e extr)9.3(eme cases of )]TJ T* [(failur)9.3(e in human conduct, many others lik)9.8(ely happen )]TJ T* [(daily and ar)9.3(e committed b)5.4(y)0( or)9.3(dinar)-8.8(y people who ar)9.3(e )]TJ T* [(technology sa)7.3(vvy and ser)-8.8(v)6.4(e)0( in sensitiv)6.4(e ar)9.3(eas of )]TJ T* (information systems. Instead of abusing a )Tj T* [(vulner)19.5(ability known t)9.8(o)0( her)60.1(, P)5.4(aige )19.5(Thompson could )]TJ T* [(ha)7.3(v)6.4(e)0( helped the bank corr)9.3(ect the congur)19.5(ation of the )]TJ T* [(r)9.3(ewall that work)9.8(ed as par)-24.4(t of the data pr)9.8(otection )]TJ T* .0001 Tw [(measur)9.3(e for the cloud. )]TJ 0 -2.6667 TD 0 Tw [(In an elabor)19.5(ate design of computer security)52.3(, the one )]TJ 0 -1.3333 TD [(mo)7.3(ving tar)9.3(get is the human being. It would be easy t)9.8(o)-.1( )]TJ T* [(dismiss the cases noted as aberr)19.5(ations on the )]TJ T* [(gr)9.8(ounds that the act)9.8(ors in such cases ar)9.3(e sociopaths. )]TJ T* [(If accepted as a v)7.3(alid gener)19.5(alization, this would also )]TJ T* [(r)9.3(esult in a r)9.3(efusal t)9.8(o)0( r)9.3(ecogniz)7.8(e that at the center of )]TJ T* [(such br)9.3(eaches, ther)9.3(e ar)9.3(e one or mor)9.3(e humans who )]TJ T* [(helped stage the crime. Regar)9.3(dless of categorization, )]TJ T* [(the fact r)9.3(emains that humans ar)9.3(e the primar)-8.8(y trigger )]TJ T* [(in the collapse. K)11.3(nowing their char)19.5(acter deep down is )]TJ T* [(pr)9.8(obably the only r)9.3(emedy)52.3(. )]TJ ET EMC /Artifact <>BDC 0 0 0 1 K 0 J 0 j .75 w 10 M [] 0 d q 1 0 0 1 572.622 31.289 cm 0 0 m 0 -39.376 l S Q EMC /Artifact <>BDC Q q 1 i 254.063 665.57 375 -375 re W n 254.728 650.256 365.376 -183.765 re 355.261 74.25 m W* n 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS3 gs q 350.4 0 0 -186 254.063 651.47 cm /Im4 Do Q EMC Q endstream endobj 37 0 obj <>/XObject<>/ExtGState<>>> endobj 39 0 obj <>stream /Artifact <>BDC q 1 i 0 783 603 -783 re 301.5 391.56 m W n .059998 783 603 -783 re W n /GS2 gs BT /F3 1 Tf 7 0 0 7 39.4019 23.0548 Tm 0 0 0 1 k 0 Tc 0 Tw [(ISA)5.4(CA JOURN)-8.8(AL)]TJ ET /GS3 gs BT 7 0 0 7 91.7515 23.0548 Tm .21 1 .72 .12 k [( V)6.4(OL 6)]TJ ET EMC /Artifact <>BDC BT 7 0 0 7 10.8984 23.0548 Tm (18)Tj ET EMC /Artifact <>BDC BT /F5 1 Tf 11 0 0 11 143.9471 690.144 Tm .9 .53 .1 0 k -.005 Tc (Conclusion )Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 143.9471 672.144 Tm 0 0 0 1 k [(Answers t)9.8(o)0( human fr)19.5(ailty r)9.3(emain obscur)9.3(e, and often )]TJ 0 -1.3333 TD [(the sear)9.3(ch for solutions is consider)9.3(ed fruitless. How )]TJ T* [(do y)7.3(ou measur)9.3(e the disposition of k)9.8(e)6.4(y emplo)7.3(y)6.4(ees? )]TJ T* [(How do y)7.3(ou assess the identied dispositional )]TJ T* [(char)19.5(acteristics? Do y)7.3(ou pr)9.8(omote known managers )]TJ T* [(fr)9.8(om within t)9.8(o)0( trusted and critical r)9.8(oles, or do y)7.3(o)0(u )]TJ T* [(r)9.3(ecruit fr)9.8(om outside? )19.5(The answers ar)9.3(e dicult and )]TJ T* [(demand mor)9.3(e r)9.3(esear)9.3(ch. Howe)6.4(v)6.4(e)0(r)60.1(,)0( in the long run, )]TJ T* [(putting mor)9.3(e weight on the human side of )]TJ T* [(wr)9.8(ongdoing will help detect or pr)9.3(e)6.4(v)6.4(ent security )]TJ T* [(br)9.3(eaches. Pr)9.8(oposition 1 identies accountability)]TJ T* [(the buck st)9.8(ops her)9.3(eand Pr)9.8(oposition 2 suggests )]TJ T* [(that security solutions ar)9.3(e incomplete. As a r)9.3(esult, )]TJ T* [(much mor)9.3(e emphasis must be placed on: )]TJ 1.2222 -2 TD [(K)11.3(nowing the individual who inherits r)9.3(esponsibility )]TJ ET /GS3 gs BT /F9 1 Tf 12 0 0 12 143.9471 497.1442 Tm .05 .65 1 .01 k 0 Tc ()Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 154.9471 486.1441 Tm 0 0 0 1 k -.005 Tc (for security risk )Tj T* (Understanding how well the individual will cope )Tj ET /GS3 gs BT /F9 1 Tf 12 0 0 12 143.9471 467.1442 Tm .05 .65 1 .01 k 0 Tc ()Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 154.9471 456.1441 Tm 0 0 0 1 k -.005 Tc [(when it is time t)9.8(o)0( deliv)6.4(er )]TJ -1.2222 -18.6667 TD [(It would be easy t)9.8(o)0( suggest that existing contr)9.8(ols )]TJ 0 -1.3333 TD [(should be str)9.3(engthened and new ones built. )]TJ T* [(Howe)6.4(v)6.4(e)0(r)60.1(,)0( ther)9.3(e ne)6.4(v)6.4(er r)9.3(eally is any cer)-24.4(tainty that )]TJ T* [(security objectiv)6.4(es will be fully achie)6.4(v)6.4(ed. It would )]TJ T* [(also be easy t)9.8(o)0( sa)7.3(y that human natur)9.3(e is )]TJ T* [(unfathomable and, e)6.4(v)6.4(en if it was not, the t)9.8(ools and )]TJ T* [(techniques t)9.8(o)0( put such knowledge t)9.8(o)0( use do not )]TJ T* [(exist. )19.5(Ther)9.3(efor)9.3(e, the r)9.3(eliance should be on )]TJ T* [(enfor)9.3(cement. Sadly)52.3(, the enfor)9.3(cement is often a )]TJ /F4 1 Tf 20.6894 0 TD (post )Tj -20.6894 -1.3333 TD (hoc)Tj /F3 1 Tf 1.5949 0 TD [( r)9.3(eaction t)9.8(o)0( what happens and, thus, not a )]TJ -1.5949 -1.3333 TD [(pr)9.8(oactiv)6.4(e solution. Besides, negativ)6.4(e r)9.3(einfor)9.3(cement )]TJ T* [(thr)9.8(ough punishment and nes ma)7.3(y not be eff)11.7(ectiv)6.4(e. )]TJ T* [(In a eld study of da)7.3(y)6.4(car)9.3(e centers, when a ne was )]TJ T* [(intr)9.8(oduced for late arriv)7.3(al t)9.8(o)0( pick up their child, the )]TJ ET EMC /Artifact <>BDC BT 9 0 0 9 362.4471 691.644 Tm [(incidence of late arriv)7.3(al incr)9.3(eased. )19.5(The par)9.3(ents )]TJ T* [(pr)9.3(esumably per)9.3(ceiv)6.4(ed the penalty as an extr)19.5(a f)11.7(e)0(e )]TJ T* [(for ser)-8.8(vices.)]TJ 5.4 0 0 5.4 410.9582 670.3441 Tm -.0083 Tc (9 )Tj 9 0 0 9 362.4471 643.644 Tm -.005 Tc [(The r)9.3(eality is that due t)9.8(o)0( challenges in deciphering )]TJ T* [(human natur)9.3(e, the pr)9.8(ogr)9.3(ess on knowing how the )]TJ T* [(human link br)9.3(eaks down has been slow)60.6(. Mor)9.3(e )]TJ T* [(r)9.3(ecently)52.3(, howe)6.4(v)6.4(e)0(r)60.1(,)0( ther)9.3(e has been a gr)9.3(eater degr)9.3(ee )]TJ T* [(of inter)9.3(est in unco)7.3(v)6.4(ering wa)7.3(ys t)9.8(o)0( addr)9.3(ess why )]TJ T* [(people indulge in a wr)9.8(ongdoing and what can be )]TJ T* [(done t)9.8(o)0( minimiz)7.8(e the impact of such tendencies. )]TJ ET /GS3 gs BT /F5 1 Tf 11 0 0 11 362.4471 545.644 Tm .9 .53 .1 0 k (Endnotes )Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.8108 527.644 Tm 0 0 0 1 k [(Ra)7.3(v)7.3(al, V)109.9(.; S. Shah; Thir)9.3(d-P)5.4(ar)-24.4(ty Risk )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 527.644 Tm .05 .65 1 .01 k 0 Tc (1)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 515.644 Tm 0 0 0 1 k -.005 Tc [(Management,)83( )]TJ /F4 1 Tf 6.541 0 TD [(ISA)5.4(CA)]TJ 5.4 0 0 5.4 462.8895 518.6141 Tm 0 Tc ()Tj 9 0 0 9 466.9894 515.644 Tm -.005 Tc ( Journal)Tj /F3 1 Tf 3.4888 0 TD [(, v)7.3(ol. 2, 2017, )]TJ /F4 1 Tf -13.2158 -1.3333 TD [(http:/)109.4(/www)60.6(.isaca.or)9.3(g/ar)9.3(chiv)6.4(es )]TJ /F3 1 Tf .0404 -1.3333 TD [(Maniloff, R.; )58.6(An Old-School Hack)9.8(er)-7.8( Fights )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 491.6441 Tm .05 .65 1 .01 k 0 Tc (2)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 479.6441 Tm 0 0 0 1 k -.005 Tc [(Cyber)9.3(crime,)83( )]TJ /F4 1 Tf 5.7075 0 TD [(The W)16.1(all Str)9.3(eet Journal)]TJ /F3 1 Tf 9.9925 0 TD [(, 16 A)5.4(ugust )]TJ -15.7 -1.3333 TD (2019, )Tj /F4 1 Tf 2.66 0 TD [(https:/)109.4(/www)60.6(.wsj.com/ar)-24.4(ticles/an-old-)]TJ -2.66 -1.3333 TD [(school-hack)9.8(er-ghts-cyber)9.3(crime-11565994214 )]TJ /F3 1 Tf .0404 -1.3333 TD (Andriotis, A.; R. L. Ensign; Capital One )Tj ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 443.6441 Tm .05 .65 1 .01 k 0 Tc (3)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 431.6441 Tm 0 0 0 1 k -.005 Tc [(Cyber Unit Flagged Stang W)15.2(oes,)83( )]TJ /F4 1 Tf T* [(The W)16.1(all Str)9.3(eet Journal)]TJ /F3 1 Tf 9.9925 0 TD [(, 16 A)5.4(ugust 2019, )]TJ /F4 1 Tf -9.9925 -1.3333 TD [(https:/)109.4(/www)60.6(.wsj.com/ar)-24.4(ticles/capital-one- )]TJ T* [(cyber-staff-r)19.5(aised-concerns-befor)9.3(e-hack-)]TJ T* (11565906781?mod=rsswn )Tj /F3 1 Tf .0404 -1.3333 TD [(Rundle, J.; Hack)9.8(ers Go Pr)9.8(o, Seeking Bounties )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 371.6441 Tm .05 .65 1 .01 k 0 Tc (4)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 359.6441 Tm 0 0 0 1 k -.005 Tc [(for Bugs,)83( )]TJ /F4 1 Tf 4.4167 0 TD [(The W)16.1(all Str)9.3(eet Journal)]TJ /F3 1 Tf 9.9925 0 TD [(, 12 A)5.4(ugust )]TJ -14.4092 -1.3333 TD (2019, )Tj /F4 1 Tf 2.66 0 TD [(https:/)109.4(/www)60.6(.wsj.com/ar)-24.4(ticles/hack)9.8(ers- )]TJ -2.66 -1.3333 TD [(go-pr)9.8(o-seeking-bounties-for-bugs-11565602203 )]TJ /F3 1 Tf .0404 -1.3333 TD [(P)5.4(almer)60.1(, D)49.8(.)0( A.; The New P)6.4(erspectiv)6.4(e on )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 323.6441 Tm .05 .65 1 .01 k 0 Tc (5)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 311.6441 Tm 0 0 0 1 k -.005 Tc [(Or)9.3(ganizational W)10.3(r)9.8(ongdoing,)83( )]TJ /F4 1 Tf 12.6374 0 TD (California )Tj -12.6374 -1.3333 TD -.02 Tc [(Management Re)6.4(view)]TJ /F3 1 Tf 8.747 0 TD [(, v)7.3(ol. 56, iss. 1, p. 5-23, 2013 )]TJ -8.7066 -1.3333 TD -.005 Tc [(Ra)7.3(v)7.3(al, V)109.9(.; )58.6(A)0( Disposition-Based F)12.7(r)19.5(aud Model: )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 287.6442 Tm .05 .65 1 .01 k 0 Tc (6)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 275.6442 Tm 0 0 0 1 k -.005 Tc [(Theor)9.3(etical Integr)19.5(ation and Resear)9.3(ch Agenda,)83( )]TJ /F4 1 Tf T* (Journal of Business Ethics)Tj /F3 1 Tf 11.4257 0 TD [(, v)7.3(ol. 150, iss. 3, 2018, )]TJ -11.4257 -1.3333 TD (p. 741-763 )Tj /F4 1 Tf .0404 -1.3333 TD (Op cit)Tj /F3 1 Tf 2.511 0 TD ( Maniloff )Tj ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 239.6442 Tm .05 .65 1 .01 k 0 Tc (7)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.8108 227.6442 Tm 0 0 0 1 k -.005 Tc [(Rudegeair)60.1(, P)158.2(.; A. Andriotis; D)49.8(.)0( Benoit; Capital )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 227.6442 Tm .05 .65 1 .01 k 0 Tc (8)Tj ET /GS2 gs BT /F3 1 Tf 9 0 0 9 379.447 215.6442 Tm 0 0 0 1 k -.005 Tc [(One Hack Hits the Reputation of a )19.5(T)48.4(ech-Sa)7.3(vvy )]TJ 0 -1.3333 TD [(Bank,)83( )]TJ /F4 1 Tf 2.9079 0 TD [(The W)16.1(all Str)9.3(eet Journal)]TJ /F3 1 Tf 9.9924 0 TD (, 31 July 2019, )Tj /F4 1 Tf -12.9004 -1.3333 TD [(https:/)109.4(/www)60.6(.wsj.com/ar)-24.4(ticles/capital-one-hack-)]TJ T* [(hits-the-r)9.3(eputation-of-a-tech-sa)7.3(vvy-bank-115645)]TJ T* [(65402?mod=sear)9.3(chr)9.3(esults&page=1&pos=13 )]TJ /F3 1 Tf .0404 -1.3333 TD [(Gneezy)52.3(, U.; A. Rustichini; )58.6(A)0( Fine Is a Price,)83( )]TJ ET /GS3 gs BT /F5 1 Tf 9 0 0 9 367.4471 155.6442 Tm .05 .65 1 .01 k 0 Tc (9)Tj ET /GS2 gs BT /F4 1 Tf 9 0 0 9 379.447 143.6442 Tm 0 0 0 1 k -.005 Tc (The Journal of Legal Studies)Tj /F3 1 Tf 12.2902 0 TD [(, v)7.3(ol.29, iss. 1, )]TJ -12.2902 -1.3333 TD (p. 1-17, 2000)Tj ET EMC /Artifact <>BDC 0 0 0 1 K 0 J 0 j .75 w 10 M [] 0 d q 1 0 0 1 30.327 31.531 cm 0 0 m 0 -39.377 l S Q EMC /Artifact <>BDC .902 .529 .102 0 k /GS3 gs 143.268 302.201 205.5 139.5 re f EMC /Artifact <>BDC BT 14 0 0 14 179.514 412.1312 Tm 0 0 0 0 k .0351 Tc -.0175 Tw [(IN)17.5( )19.6(THE)17.5( L)31.7(ONG)17.6( RUN)17.5(,)35.1( )]TJ -1.9286 -1.2857 TD [(PUT)-7.8(TING)17.5( MORE)17.5( WEIGH)14.1(T)37.1( ON)17.5( )]TJ T* [(THE)17.5( HUM)-8.8(AN)17.5( SIDE)17.5( OF)17.5( )]TJ T* [(WRONGDOING)17.6( WILL)17.5( HELP)17.5( )]TJ T* [(DE)-9.8(TEC)14.1(T)37.1( OR)17.5( PREVEN)14.1(T)37.1( )]TJ T* [(SECURI)14.1(T)-7.8(Y)17.5( BREA)5.3(CHES)17.5(.)]TJ ET EMC /Artifact <>BDC Q q 1 i 303.359 331.327 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 321.463 321.039 cm 0 0 m -.099 -2.881 -.579 -5.075 -1.441 -6.582 c -2.301 -8.089 -3.643 -9.223 -5.464 -9.985 c -3.279 -13.462 l -.265 -12.104 1.937 -10.101 3.328 -7.452 c 4.389 -5.464 4.918 -2.252 4.918 2.186 c 4.918 10.382 l -4.67 10.382 l -4.67 0 l 0 0 l h -12.64 0 m -12.739 -2.881 -13.219 -5.075 -14.081 -6.582 c -14.941 -8.089 -16.283 -9.223 -18.104 -9.985 c -15.919 -13.462 l -12.905 -12.104 -10.703 -10.101 -9.312 -7.452 c -8.251 -5.464 -7.722 -2.252 -7.722 2.186 c -7.722 10.382 l -17.31 10.382 l -17.31 0 l -12.64 0 l f Q EMC /Artifact <>BDC Q q 1 i 149.461 437.557 23 -23.75 re W n .047059 .65098 .98824 .003922 k /GS3 gs q 1 0 0 1 154.379 424.189 cm 0 0 m .099 2.881 .579 5.075 1.441 6.582 c 2.301 8.089 3.643 9.223 5.464 9.985 c 3.279 13.462 l .265 12.104 -1.937 10.101 -3.328 7.452 c -4.389 5.464 -4.918 2.252 -4.918 -2.186 c -4.918 -10.382 l 4.67 -10.382 l 4.67 0 l 0 0 l h 12.64 0 m 12.739 2.881 13.219 5.075 14.081 6.582 c 14.941 8.089 16.283 9.223 18.104 9.985 c 15.919 13.462 l 12.905 12.104 10.703 10.101 9.312 7.452 c 8.251 5.464 7.722 2.252 7.722 -2.186 c 7.722 -10.382 l 17.31 -10.382 l 17.31 0 l 12.64 0 l f Q EMC Q endstream endobj 40 0 obj <>/ExtGState<>>> endobj 6 0 obj <> endobj 5 0 obj <> endobj 28 0 obj <>stream Adobe d C #"""#'''''''''' " s !1AQa"q2B#R3b$r%C4Scs5D'6Tdt& EFVU(eufv7GWgw8HXhx)9IYiy*:JZjz ? f͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf͛6lٳf endstream endobj 29 0 obj <>stream Adobe d #"""#'''''''''' !! !!'''''''''' " " s !1AQa"q2B#R3b$r%C4Scs5D'6Tdt& EFVU(eufv7GWgw8HXhx)9IYiy*:JZjz m !1AQa"q2#BRbr3$4CS%cs5DT &6E'dtU7()euFVfvGWgw8HXhx9IYiy*:JZjz ? @}GZI+zzT$wkq&" ;Ao%cSwWxQ=7yK/f.;f.PDv @½0׀;|s'K"h}[%8%ZV)){݆09Q(ƅAS ŨJO v(MY : )_tTnVUdz UUH7U$F.GY+i˸e!hoQFc9G촹͌Yv=/gEQzv2my\Y\;@).kB1o;~15W(ҵ'1zf&gaO햿-i
/\/}8Ϲ7@n1tK /I6"N*L{~3GCy0;ڥ{95ӝWύ%;uStb`c'V3eOQn cԌl||SFj>/MM2ecGhSuna9>hAs
+_ՍZnF\GCqx@#M d!,էa]_~vuI|3"&Kb5z|O_䱯>k