Cybersecurity: Converting Shock into Action

Abstract

BIGBADABOOM-2. That's the name of a recent cybersecurity breach affecting 5 million stolen credit card and debit card holders (O'Brien, 2018). Unfortunately, these breaches are becoming all too common. At an alarming rate, nation states and malign actors are better equipped to conduct cyberattacks than ever. The risk is growing. Some adversaries will be able to disrupt critical infrastructure against the United States in a crisis short of war (Coates, 2018). To make matters worse, cyber threat actors are more threatening and their abilities more sophisticated. While "abilities"are just as important to defend against cyberattacks, attitudes are just as vital when it comes to the selection of the required learning strategies given their connection to necessary cybersecurity behaviors. Unfortunately, the DoD's current approach for the acquisition community won't easily fulfill the stated and implied security and resilience imperatives anytime soon unless attitudes (a critical catalyst) start to change. The learning strategies required that embody it trace back to Bloom, Krathwohl, and Harrow;all research leaders in their respective fields. Their works speak to the importance of the affective domain (i.e., the way our attitudes affect our learning behaviors). This study explores the impact of the DoD's overall implied cybersecurity learning strategy and associated actions taken to date;all intended to safeguard the efficacy of the DoD's weapon systems and supporting infrastructure. Also included is a case study discussion to demonstrate the cybersecurity actions taken by one particular organization to better prepare themselves for their assigned cybersecurity duties despite the DoD's good intentions. The learning outcome of this case study could serve as a forerunner for other DoD acquisition organizations as they consider how to implement a robust, effective and sustainable cybersecurity program. The researchers firmly believe that the DoD will be hard pressed to achieve the desired gains in security and resilience without recognizing that the critical cybersecurity behaviors and concomitant attitudes at the individual, team, and organizational levels come first. And, that might come as a shock.