Professional Responsibility

Security failures do occur. Firms that have not fallen into the clutches of an attack are rare. Even individual computer users are familiar with some to the damaging repercussions of insufficient security measures. Computer viruses wreak havoc on computer systems, executing worms and Trojan Horses into systems, damaging computer code, and costing hours of frustration. This vulnerability is costly to a single computer, but the cost becomes exponential in massive networked infrastructures . Millions of dollars a day can be lost due to these attacks in some institutions.

Organizations in both the public and private sector also face another challenge when their system vulnerabilities are exploited. That challenge is whether to report the attack to the authorities and whether to release information regarding the attack to the general public.

Reporting security incidents to the authorities is sensitive in nature. While the firm may need all the assistance they can possibly obtain, the authorities have a legal obligation to record and report the incident for investigation and auditing purposes. The Federal Bureau of Investigation (FBI) is usually the leading investigating body for cyber crime incidents in the private sector. The private sector also employs private cyber forensic investigation teams to assist in eliminating and securing the infrastructure. The public sector also utilizes the FBI, but governmental organizations that have a stake in national security must alert the National Security Agency (NSA).

Many Computer Emergency Response Teams (CERTs) have been established worldwide to assist organizations in recovering from computer attacks. Both the public and private sectors employ the CERTs. They are most valuable during the initial attacks on automated systems. Various cyber forensic techniques are initiated by the CERTs to identify the attacker and provide guidance on eliminating the immediate threat.

Reporting intrusions and attacks to the public is also sensitive. Publicizing security failures can have detrimental affects. While there is some argument that the organization has a professional responsibility to report failures to protect the customer s interest, there are also legitimate arguments that contradict such reporting maneuvers. Reporting security vulnerability, in itself, may cause an escalation in similar attacks on the very same vulnerability.

The firm must also take into account that reporting a security breach may result in a loss of customer and investor confidence. If customer and investor confidence evaporate quickly, not only would the firm be scrabbling to patch the holes in their security enclave, but would also be struggling to reassure customers and investors that counteractive measures are being undertaken to prevent continued and future attacks. Timid knee-jerk reactions by customers and investors will only compound and prolong the difficulties.

Firms that are interconnected with supply chain partners also have a responsibility to notify their partners of the security breach to limit potentially damaging security vulnerabilities from spreading to their partners .

The Harvard Business School case study scenario: The iPremier Company (A): Denial of Service Attack illustrates the chaos that ensues during a security failure within a firm. Although this scenario is not an actual event, the actions taken in this case are strikingly similar to the actions taken by firms during an initial cyber attack. It would be advisable to obtain a copy of the case scenario as a training document for all levels within an organization (Austin, 2001).