Teaching Information Security Management Using an Incident of Intellectual Property Leakage

Case-based learning (CBL) is a powerful pedagogical method of creating dialogue between theory and practice. CBL is particularly suited to executive learning as it instigates critical discussion and draws out relevant experiences. In this paper we used a real-world case to teach Information Security Management to students in Management Information Systems. The real-world case is described in a legal indictment (T-mobile USA Inc v. Huawei Device USA Inc. and Huawei Technologies Co. LTD) alleging theft of intellectual property (trade secrets) and breaches of contract concerning confidentiality and disclosure of sensitive information. The incident concerns a mobile phone testing robot (Tappy) developed by T-mobile USA to automate testing of mobile phones prior to launch. Tmobile alleges Huawei stole the technology by copying the robot’s specifications and stealing parts and software to develop its own testing robot. The incident scenario is interesting as it relates to a business asset that has both digital and physical components that has been compromised through an unconventional cyber-physical attack facilitated by insiders. The scenario sparked an interesting debate among students about the scope and definition of security incidents, the role and structure of the security unit, the utility of compliance-based approaches to security, and the inadequate use of threat intelligence in modern security strategies.

[1]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[2]  Sean B. Maynard,et al.  Toward Sustainable behaviour Change: an Approach for Cyber Security Education Training and Awareness , 2019, ECIS.

[3]  A. B. Ruighaver,et al.  Security Policy Quality: A Multiple Constituency Perspective , 2007 .

[4]  K. Kendall,et al.  Enhancing Online Executive Education Using Storytelling: An Approach to Strengthening Online Social Presence , 2017 .

[5]  Sean B. Maynard,et al.  An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations , 2018, HICSS.

[6]  Sean B. Maynard,et al.  Defining the Strategic Role of the Chief Information Security Officer , 2018, Pac. Asia J. Assoc. Inf. Syst..

[7]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[8]  Rachelle Bosua,et al.  Protecting organizational competitive advantage: A knowledge leakage perspective , 2014, Comput. Secur..

[9]  Todd Wuestewald Adult Learning in Executive Development Programs , 2016 .

[10]  A. B. Ruighaver,et al.  Informal Learning in Security Incident Response Teams , 2011 .

[11]  Kevin C. Desouza,et al.  Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack , 2019, Comput. Secur..

[12]  Michelle L. Kaarst-Brown,et al.  Sensitive information: A review and research agenda , 2005, J. Assoc. Inf. Sci. Technol..

[13]  A. B. Ruighaver,et al.  Towards Understanding Deterrence: Information Security Managers' Perspective , 2011, ICITCS.

[14]  R. Baskerville Information Warfare: A Comparative Framework for Business Information Security , 2005 .

[15]  Sean B. Maynard,et al.  Towards a Framework for Strategic Security Context in Information Security Governance , 2018, Pac. Asia J. Assoc. Inf. Syst..

[16]  W. Alec Cram,et al.  Teaching Information Security in Business Schools: Current Practices and a Proposed Direction for the Future , 2016, Commun. Assoc. Inf. Syst..

[17]  A. B. Ruighaver,et al.  Stakeholders in security policy development , 2011, AISM 2011.

[18]  Janice C. Sipior,et al.  Information Technology Operational Risk: A Teaching Case , 2021, J. Comput. Inf. Syst..

[19]  Sean B. Maynard,et al.  Towards a Taxonomy of Information Security Management Practices in Organisations , 2014 .

[20]  P. Datta,et al.  Cybersecurity: the three-headed Janus , 2018, Journal of Information Technology Teaching Cases.

[21]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[22]  Rens Scheepers,et al.  Asset Identification in Information Security Risk Assessment: A Business Practice Approach , 2016, Commun. Assoc. Inf. Syst..

[23]  A. B. Ruighaver,et al.  Information Security Governance: When Compliance Becomes More Important than Security , 2010, SEC.

[24]  Christian Leuprecht,et al.  Beyond the Castle Model of cyber-risk and cyber-security , 2016, Gov. Inf. Q..

[25]  Jason R. C. Nurse,et al.  Developing cybersecurity education and awareness programmes for Small and medium-sized enterprises (SMEs) , 2019, Inf. Comput. Secur..

[26]  Jeremy Hilton,et al.  Information Security and Information Assurance: Discussion about the Meaning, Scope, and Goals , 2014 .

[27]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[28]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[29]  Janis L. Gogan,et al.  Snowfall and a stolen laptop , 2015 .

[30]  Kevin C. Desouza,et al.  How integration of cyber security management and incident response enables organizational learning , 2020, J. Assoc. Inf. Sci. Technol..