CONTENTS
I. EXECUTIVE SUMMARY 2
A. Purpose 2
B. Introduction 2
C. Problem Statement 5
D. Essential Research Questions 6
II. RESEARCH DESIGN AND DATA COLLECTION 7
A. Research Methodology 7
B. Statistical Tests 8
III. ANALYSIS 8
C. Test for the Correlation Coefficient of the Medium Sized Companies for Data Breaches and Associated Financial Impact. 10
D. Test for the Correlation Coefficient of the Large Sized Companies for Data Breaches and Associated Financial Impact 10
IV. CONCLUSION 11
Works Cited 12
EXECUTIVE SUMMARY
Purpose
This statistical research report has been completed to explore the validity of claims that the use of cloud computing technologies may potentially make the corporate sector vulnerable to different cyber assaults (Your Google Experts, 2015, web.). The focal point of it is made on the exploration of the middle and large-scale companies, which referred to the use of Apple Cloud, Google Drive, Microsoft One Note, Oracle and Amazon Cloud platforms. This research attempts calculating vulnerability index among them and among the firms, which continue using conventional data- transmission technologies (CD-drives, flash-drives etc.)
The findings of this paper may be potentially used by the members of the US (an international) business segment, which consider shift to cloud storage technologies, but security concerns remain are their major impediment. It seeks to show that traditional storage technologies are not safer than the cloud ones, and tries to provide statistical substantiation of this assumption.
Introduction
Over the past five years cloud storing and computing have evolved into one of the most dynamically evolving areas of informational technology segment (Vernik et al, 2013, 44-46). The corporate community unanimously mentions the following aspects among major advantages of these solutions:
Reduced Costs. The practice shows that the fees payable to the cloud platforms providers are smaller than the costs of physical storage drives, backup tapes and other solutions (O’Brien & Marakas, 2011, 254). In contrast to popular physical devices, the amount of ‘saving space’ on cloud storage and computing platforms is, virtually, unlimited. Furthermore, the use of cloud storage technologies is helpful in terms of saving time – routine manual backup procedures are more time and energy consuming (Your Google Experts, 2015, web.).
Cloud storage areas are invisible for all purposes and intents, and require no physical presence. In the light of today’s popularity of ergonomic office areas, this factor becomes a serious advantage.
Automation – in contrast to multiple physical storage tools, cloud storage solutions back up files automatically and regularly. The risks of losing important, sensitive data become seriously minimized (Laszka et al, 2014, 18).
Accessibility –working files may be easily accessed from tablets, smartphones, netbooks, PCs and other platforms, which support a respective technology from any place in the world. There is no need to keep numerous staff in office - the employees may work remotely. Today’s most popular cloud storing and computing solutions support all popular mobile devices.
Other essential pluses of cloud storage technologies include synchronization, sharing, collaboration, and recovery options.
However, despite all these obvious advantages, some companies are still skeptical about introducing them into their business cycles. The main reason is security – once sensitive data is stored on the distantly located servers, it has to go through several intermediaries before reaching the recipient. Malevolent parties may intercept it, if they manage to find out vulnerabilities of the system (Your Google Experts, 2015, web.).
Today, the hackers are sometimes more skilled and accomplished than IT specialists hired by the companies. They continually devise accomplished algorithms and malware, which identifies weak points in the cloud storing software architecture. The results of these assaults, as well as the motives behind them, are various, including:
Leak of important trade secrets to the competitors
For instance, some sources suggest that 2011 security breach of the Toyota engineering databases was in reality orchestrated by the BMW, which tried to obtain revolutionary brakes technology. The truth is still hidden behind the corporate veil, but a similar technology was announced in Munich on BMW Conference in 2012.
Another notorious attack took place in 2009, at the very dawn of cloud storing and computing evolution. That time the hackers got access to the databases of Exxon Mobil, BP and Royal Dutch Shell. As a result, important topographical data about the freshly discovered oil and natural gas deposits appeared at the disposal of the closest competitors – Rossneft from Russia Federation, and several Chinese oil giants.
In 2009, Starwood Hotels & Resorts became embroiled in a hot litigation against one of the pillars of today’s hospitality industry – The Hilton, Inc. The claimant argued that the hackers hired by Hilton penetrated in corporate databases, and ferreted out more than 110, 000 pieces of confidential documentation about the launch of “lifestyle” hotel by Starwood. The firm’s litigators argued that the ‘truckload” of stolen files had “highly sensitive and competitively essential information”.
The parties reached settlement in 2010, which mandated Hilton to pay $ 75 million in damages and abstain from launching similar projects in the next two years.
Extortion by the hackers
In 2014, a hacking group known as Rex Mundi took possession of more than 600,000 customer records of Domino’s Pizza. The hackers demanded ransom in the amount of $ 40, 000 for returning this privileged information, which included names and surnames, addresses, emails, phone data, pizza preferences etc. Although Domino’s Pizza asserted that the demands of the extortionists have never been made, the fact that the customers records never went in public suggests that the firm was rather complaisant in that case.
Estimated damages of a typical denial of service attack for different industries
In 2014, P.F. Chang’s experienced one of the hugest data breach, with a lot information about customers’ payment details compromised by the assailants. The hackers did not extort money from the company, but followed rather an unorthodox approach – they started selling stolen accounts on the black market, with prices fluctuating between $18 and $ 150, depending on the account freshness.
Overall, it is clear that while the benefits of cloud storing and computing substantially simplify business processes, associated hidden dangers should be always considered by the decision-makers in analyzing whether such a system should be launched within a particular organization (O’Brien & Marakas, 2011, 145).
Problem Statement
Today’s findings show that despite providing extremely functional and productive advantages to the private (and public) sector, cloud storing technologies have one important disadvantage. The fact that sensitive data possessed by the company may appear at the competitors or blackmailers’ disposal frighten off important players on the corporate fields. Those, which already use some sort of cloud technologies, started thinking about returning conventional storage devices. However, their decisions are prevalently based on precautions and misgivings (Vernik, 2013, 78). Not a single valid statistical examination of this phenomenon has been conducted insofar. Moreover, some sources suggest that even when the actions of the assailants result negatively for a company, the impact is minimal in financial metrics.
Correlation between the cyber assaults and inflicted financial damage (Vernik, 2013, 54)
The problem in this context is to measure to what extent the probability of being hacked neutralizes the advantages of cloud computing and storing.
Essential Research Questions
This statistical research seeks to answer the following questions, which will make it possible to understand whether there is a real danger in the use of cloud storages, or this problem has been padded by the media:
Does a statistically significant difference exist between the corporate databases data breaches of the middle and large-scale business ventures to those, which use conventional data-storage solutions?
Does a statistically significant difference exist between the corporate databases data breaches of the middle and large-scale business venture and the losses incurred by them as a result of these breaches? In other words, it is necessary to ascertain whether namely security breaches and no other causes lead to the declared financial losses.
RESEARCH DESIGN AND DATA COLLECTION
Research Methodology
The chosen research methodology involves the study of companies, which corporate databases have been breached between 2012 and 2015. The facts about breaches, declared amounts of financial and other losses, nature of the attacks and other important information have been obtained from the internet-based databases, reputable academic journals, published interviews, books and other authoritative and reliable sources (Anderson, Sweeney & Williams, 1994, 63). Thirty-eight middle-scale companies, representing different industries, scales of business and extent of using the technology were the participants of this research (N=38). For the large-scale companies, forty-four corporations were the participants (N=44).
As far as scoring is concerned, the amount of received attacks is chosen, 0>2000. The average equal is 1000, and standard deviation is fixed at 200 (μ=1000; σ=200). According to the present research design, middle scale companies are those, which number of employees do not exceed 250 staff members, their annual financial turnover is < $50 billion, and balance sheet total is <$43 billion. Respectively, large-scale companies are those, which number of employees exceeds 250 teammates, and their annual financial turnover is higher than $50 billion.
The measurement is made after each diagnosed attack on the company servers. Then, the outcomes of the attack are analyzed, and, when possible, the research team assessed the financial impact inflicted to the firm.
Statistical Tests
In order to interpret the collected assessment data, several statistical tests have been carried out. Firstly, a one-way analysis and parsing of variance ANOVA F test was carried out for both, medium and large-scale corporations for sample sizes of 30 (n-30. The significance level for that test is 0,1 (∝ =0,1.)
The next step is to perform the Turkey-Kramer comparisons procedure test for one-way ANOVA test in order to determine which of the C means presented significant difference for each assessment sessions and grade level at 0.1. level of significance (∝ =0.1).
The final stage of this research is to perform The Test for the Correlation Coefficient in order to find out whether any form of a significant linear relationship exists between cyber assaults and financial losses (Hays, 1973, 42) incurred by the medium and large-sized companies.
ANALYSIS
One Way ANOVA F Test for Middle-Sized Companies & Turkey-Kramer Test
The evaluation of data was done with null hypothesis of no absolute difference in the medium-sized segment of the 30 sample corporations. The p-value was calculated to be 0.00000 at a computed Fstat of 7381.6538 (Fstat>1.7456). Hereby, the null hypothesis should be rejected, and it was ascertained that the difference between the variables in question was a significant one.
Reject: H0:μ1= μ2=⋯ μc
In order to determine which means is significantly different, the research team administered the Turkey-Kramer procedure. Q Statistic was set at 5.1, with the numerator df and denominator df set at 14 and ∞ respectively, with no significant exceptions.
One-Way ANOVA F Test for Large Scale Companies and Turkey-Kramer
The data in question was evaluated with null hypothesis in the large-scale business segment of the sample (30 companies). The p-value was found to be 0.0000 at a computed Fstat of 148231.5230 (Fstat>1.7381). Thus, we rejected the null hypothesis and found out that a significant statistical difference existed between the mean scores our metrics.
Reject: H0:μ1= μ2=⋯ μc
In order to determine which means is significantly different, the research team administered the Turkey-Kramer procedure. Q Statistic was set at 5.1, with the numerator df and denominator df set at 14 and ∞ respectively, with no significant exceptions.
Test for the Correlation Coefficient of the Medium Sized Companies for Data Breaches and Associated Financial Impact.
The data sets were evaluated with a null hypothesis, with no linear relationships between the identified security breaches and the inflicted financial losses. Using 0,1 level of significance, the critical value of t – 4=15 degrees of freedom was 2.21. The figures for Tstat are .8181<2.341, the null hypothesis become fully accepted. In particular, it becomes clear that there is no significant linear relationship between the breaches of databases of the middle-sized companies, and the incurred financial losses.
Accept: H0:p=0 (no correlation)
Test for the Correlation Coefficient of the Large Sized Companies for Data Breaches and Associated Financial Impact
The data sets were evaluated with a null hypothesis, with no linear relationships between the identified security breaches and the inflicted financial losses. Using 0,1 level of significance, the critical value of t – 4=15 degrees of freedom was 2.21. The figures for Tstat are .3421<2.341, the null hypothesis become fully accepted. In particular, it becomes clear that there is no significant linear relationship between the breaches of databases of the middle-sized companies, and the incurred financial losses.
Accept: H0:p=0 (no correlation)
CONCLUSION
Interpretation of the available data suggests that there is no conclusive evidence suggesting that the breaches of security is the primary reason of significant financial losses incurred by the companies during the periods of turbulent international economy.
Although some individual cases of data theft lead to serious financial impacts, outflow of customers or other ruinous outcomes, in the overwhelming majority of cases the outcomes of security breaches were minimal. Either the companies paid negligible ransoms, or they ignored the extortionists’ demands altogether with no ensuing negative outcomes.
In practice, poorly managed marketing campaigns, ineffective governance and poor quality assurance programs are seriously more disastrous for the business segment. Thus, the shortcomings popularly associated with cloud-storing and cloud-computing technologies are substantially exaggerated.
Works Cited
Anderson, David R., Dennis J. Sweeney, and Thomas A. Williams. Solutions manual to accompany Introduction to statistics, concepts and applications, third edition. Minneapolis: West Pub. Co, 1994.
Hays, William L. Statistics for the social sciences. New York: Holt, Rinehart and Winston, 1973. Print.
Laszka, Aron, Benjamin Johnson, Pascal Schöttle, Jens Grossklags, and Rainer Böhme. "Secure Team Composition to Thwart Insider Threats and Cyber-Espionage." TOIT ACM Transactions on Internet Technology ACM Trans. Internet Technol. 14.2-3 (2014): 1-22. Print.
O’Brien, J. A. & Marakas, G. M “Computer Software. Management Information Systems”, New York: McGraw-Hill/Irwin, 2011. Print
Vernik, Gil, et al. "Data On-boarding in Federated Storage Clouds." Proceedings of the 2013 IEEE Sixth International Conference on Cloud Computing. IEEE Computer Society, 2013. Print