AMU Cyber & AI Privacy

Countering Cybersecurity Attacks through Accountability

NOTE: This article first appeared at In Cyber Defense.

By Dr. Novadean Watson-Williams
Program Director, Information Technology Management and Computer Technology, American Military University

Take a moment and imagine what cyber threat might surface in an organization today. The list is endless. There is a hacker studying new ways to access sensitive or proprietary information or data every second.

Start a Homeland Security degree at American Military University.

So how can users and organizations survive these limitless security threats and an inevitable security breach? What can be done to protect sensitive data? The solutions may align with the word “accountability.”

Cyber Threats Come from Everywhere: No One Is Immune

Cybersecurity threats are real and pervasive. These threats may come from bad actors such as disgruntled employees, unhappy customers, business competitors, organized crime, foreign governments, hacktivists or terrorists. Other cybersecurity threats include vulnerabilities in the design of a computer system or software and even business partners such as third-party vendors.


These bad actors may commit fraud, theft or data erasures. They take advantage of hacking tools and techniques, malicious codes, user errors, social engineering, Denial-of-Service attacks, and zero-day vulnerabilities in applications.

These cybersecurity threats typically target the confidentiality, integrity and availability (CIA) of organizational data. These three qualities – confidentiality, integrity and availability – are the basic tenets of the information security triad as defined by the International Organization for Standardization (ISO) standards.

Interestingly, no one system or organization is immune from cyber threats as the big data collected by many agencies lives in a multitude of databases, often managed by third parties. According to a report, “…the total cost, per-capita cost and the average size of a data breach (by the number of records lost or stolen) have all increased year over year… the average total cost of a breach ranges from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records. The study revealed that a mega breach (involving 1 million compromised records) could cost as much as $39.49 million. Unsurprisingly, this figure increases as the number of breached records grow.”

The Shift to Open Source Has Created More Cybersecurity Vulnerabilities

Unfortunately, the implication for security threats has increased over time, particularly since more and more firms and organizations are shifting to open-source tools and products. According to the 5th edition of Synopsys’ Open Source Security and Risk Analysis (OSSRA) report, 75% of the open-source in codebases (a collection of source code used to build software or apps) by the industries audited in 2019 had at least one public vulnerability.

Less Common Cybersecurity Threats Such as Zero-Day Software Vulnerabilities Are on the Rise

Other types of less commonly known cyber, such as zero-day vulnerabilities in applications, have also been on the rise. A zero-day vulnerability is a type of threat that ignores the user and focuses on the exploitation of application attributes to create a potential security breach.

Clearly, no one layer of a security solution is sufficient in today’s cyber threat climate. To address myriad cyber threats, organizations and their users may need to unleash the power of accountability.

Accountability in Cyberspace

notes that organizations are championing the need for a full Cyber Threat Intelligence (CTI) program. The SANS Institute report also found that “At a high level, the leading use was for threat detection (89%), followed by threat prevention (77%), threat response (72%) and threat mitigation (59%).

Organizations focusing too heavily on threat prevention often struggle with detection and response, which would otherwise be core to their ability to maintain great prevention over time. It’s clear from this year’s survey data that many organizations, at least where CTI is involved, have seen detection as the primary value driver.”

With this attitude shift in organizations comes the need for. Merriam-Webster defines accountability as “…an obligation or willingness to accept responsibility or to account for one’s actions.” Also, John G. Miller, the author of the book “Flipping the Switch: Unleash the Power of Personal Accountability Using the QBQ!” reinforces the need for personal accountability and to take action. Miller defines QBQ as “Question Behind the Question.”

Using Miller’s QBQ to Create Questions for Cybersecurity Analysis

The use of QBQ as a tool can help leaders and cyber users practice better accountability by asking the right type of questions that would translate into more effective thinking and acting after a cybersecurity breach. Instead of prefacing questions with words such as “Why,” “When,” or “Who,” which suggests victim-blaming and a procrastination mentality, Miller recommends using questions that begin with “What” and “How.” He explains that “What” and “How” questions promote being open-minded and embracing change.

The Five Advantage Principles

Miller says that changing behavior via the advantage principles of learning, ownership, creativity, service and trust and using strategic questioning is exactly what organizations and users can use to combat a cyber world riddled with cyber threats. While tangible measures are often used to address cyber threats, Miller’s advantage principles focused on personal accountability are an excellent start.

The advantage principle of learning is a way to produce knowledge and intellectual growth that comes from QBQs such as:

  • “What can I do to keep my organization secure?”
  • “How can I apply key cybersecurity measures?”

The advantage principle of ownership points to addressing cyber threat problems immediately and strategically without causing blame. Miller recommends that organizational employees exercise accountability “instead of blaming, complaining, procrastinating, or making excuses” by asking QBQs such as:

  • “How can I help address cyber threats?”
  • “How can I contribute to security solutions?”

The advantage principle of creativity invites users and organizations to look for innovative ways to address cyber threats. It promotes an attitude of planning for the unexpected and maintaining a contingency plan. Applying this principle would create QBQs such as:

  • “What strategy plan, tactic, process, tool and techniques do I have to prevent a security breach?”
  • “What action can I take moving forward?”

The advantage principle of service encourages the “Service before Self” Air Force core value. It reminds individuals to follow rules, policies, and self-control while offering support to fellow colleagues and strengthening relationships and teamwork.

Most organizations promote the idea, “Organizations don’t serve people; individuals serve people.” Questions associated with QBQ would entail the following:

  • “What can I do to understand others’ cybersecurity needs?”
  • “How can I serve the organization by adhering to cyber threat policies?”

Finally, the advantage principle of trust is a continuation of service. Trust promotes openness, assuredness, reliance, and care and interest in others or the organization.

In this new work environment of teleworking due to the spread of COVID-19, trust becomes even more critical, especially when it’s aligned with integrity and “doing what’s right when no one is looking.” Using the QBQ technique would build trust by someone asking:

  • “How can I support the organization’s efforts in cybersecurity?”
  • “How can I campaign for cybersecurity while building a relationship with my colleagues in the organization?”

These simple principles coupled with questions focused on accountability will help organizations and individual users to better protect sensitive information, support the organization’s mission, goals, and objectives, and usher in a stronger sense of responsibility. Information security experts Thomas R. Peltier, Justin Peltier and John Blackley reinforced this way of thinking in their “Information Security Fundamentals.” They observe, “Information protection is an integral element of due care, [members of an organization, particularly leaders] are charged with two basic responsibilities: a duty of loyalty –this means that whatever decisions they make must be made in the interest of the enterprise [and a] duty of care—this means [protecting the assets of the organization and make] informed…decisions.”

The world keeps changing. Users and organizations must keep pace with technological changes and today’s cyber world. Cyber threats will only become more disruptive and troublesome over time, but practicing accountability is a good step forward.

About the Author

Dr. Watson-Williams is currently the Program Director for the undergraduate programs in information technology management and computer technology at American Military University. She serves an aggressively growing department and has over 20 years of experience in the information technology field. Dr. Watson-Williams holds an A.A. in Computer Studies and a B.S. in Information Systems Management from the University of Maryland University College, a B.S. in Social Science Education from the University of South Florida, an M.A. in General Counseling from Louisiana Tech University, and a D.B.A. in Information Systems from Argosy University. 

Recently, Dr. Watson-Williams presented webinars on Negotiation and Entrepreneurship (Oct 29-30, 2019) for the CompTIA Association of Information Technology Professionals. Previously, she published several blog articles on topics such Creating a Personal Brand through Using the Internet, Leadership Using Effective Nonverbal Communication, Inspiring Self-Improvement through Technology Education, Collective Intelligence and Soft Skills. She has also co-published several other articles, including “RFID with Real Implications,” “Artificial Intelligence in Information Security” and the “Evolution of Information Security.”

Comments are closed.