Zoom Inside: The Case for Cybersecurity Clinics and What They Can Teach Your Firm

Publication Type: 
Other Writing
Publication Date: 
September 28, 2016

Indiana is known for several things—the Indy 500, Hoosiers basketball, Notre Dame football, and corn. Cybersecurity does not typically make that shortlist, but perhaps it should. Owing to a vibrant cybersecurity startup scene, the cutting edge supply chain cybersecurity work being done at the Naval Surface Warfare Center Crane Division (the third largest naval installation in the world), and innovations at Indiana University (IU), to name a few, Indiana institutions are beginning to make some important progress on thorny cybersecurity risk management topics with practical relevance.

Recently IU has embarked on a series of interdisciplinary cybersecurity initiatives. These include an array of cybersecurity certificate programs, and a new MS in Cybersecurity Risk Management, which features required coursework from Secure Computing, Enterprise Risk Management, and Law, as well as an applied capstone consulting project (or cybersecurity clinic) for a real world client.

How a Cybersecurity Clinic Works

There are many varieties of cybersecurity clinics being tried around the world—Malaysia, for example, is already experimenting with this notion at the national level—but here a cybersecurity clinic may be defined as an interprofessional team of computer science, law, and business students that conduct a supervised cybersecurity consulting project for a client focused on instilling technical, legal, and managerial cybersecurity best practices. These clinics are principally concerned with enhancing the cybersecurity preparedness of underserved clients, including local governments, small businesses, K-12 school corporations, and critical infrastructure providers. This approach stands in contrast to existing stand-alone legal clinics focused on particular issues such as privacy or cyber law. Instead, the type of interdisciplinary cybersecurity clinic on which IU is focusing recognizes that effective cybersecurity risk management requires considering cybersecurity from a more holistic perspective.

In 2015, IU, in partnership with the Indiana Office of Technology, launched a pilot program with the town of Speedway, Indiana (home of the Indy 500). In Speedway, an interdisciplinary team of IU graduate Law, Business, and Informatics students assessed our client’s supervisory control and data acquisition (SCADA) vulnerabilities, generated a more comprehensive incident response plan, analyzed Speedway’s potential liability exposure in the event of a data breach, and revised their employee handbook’s privacy policies. In particular, the students:

  • Assessed the privacy and cyber risk to Speedway, including general cybercrime and terrorism risks, couched within cyber attack data for Indiana organizations using a risk assessment built on top of Microsoft’s Damage, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD) system.
  • Analyzed Speedway’s SCADA systems, role-based password security, password policy, work station policy, disaster recovery protocols, single points of failure, remote access, “Bring Your Own Device,” and general privacy policies.
  • Investigated the state and federal privacy and cybersecurity laws and policies related to SCADA and employee technical use applicable to Speedway; and
  • Suggested a host of technical and managerial best practices ranging from the specific (e.g., codifying all procedures related to Speedway’s SCADA systems and improving employee cybersecurity training) to the general (g., creating a mobile device management policy for lost or stolen phones, and including an email privacy trailer in official correspondence) using the NIST Cybersecurity Framework as a baseline. Further suggestions and tactics are listed below:

Read the full piece at Security Roundtable