Friday, June 8, 2018

Review: Accreditation Council for Business Schools and Programs Conference 2018

As I've done in the past, I like to blog about conferences/training I've attended because 1) I think it might be useful to others and 2) it serves as a sort of note taking system for me. I get sick of all my paper notes everywhere and this way, I can make sure I hold on to these "notes" long after my physical notes have been lost or tossed.

This conference is for the 30th annual conference for the Accreditation Council for Business Schools and Programs. They are an accrediting body for business schools who help schools like Tarleton to identify problem areas and create policies, procedures, and other solutions to insure that continuous process improvements are in place. This is my first time here but I can tell you that this one stacks up well in terms of the usefulness of the sessions.

Record Graduate Growth Rates through Faculty Led Recruitment by Dr. Griffin and Dr. Adams

This was an interesting and relevant presentation for me. As an outgoing department chair and an incoming associate dean, increasing enrollments becomes a bigger priority for not only my discipline, but now the entire college. So, how do we do that? Well, they had what I think are some good suggestions.  The reality is that it is a tough market right now. There are forces in place that are driving down graduate enrollments. This has led some school to eliminate their graduate programs. These enrollment trends have had far reaching effects. For example, reduced state appropriations, increased competition with for-profit institutions, etc. Their literature review revealed that there is a lack of articulated student recruitment plans, that the majority of faculty view recruitment as part of their job despite the fact that they also feel they are not required to engage in recruitment, that there is little in the literature the highlights the systematic process that directly involves faculty in graduate recruitment, and that there is no tangible empirical evidence in the literature that shows the impact of graduate faculty-led student recruitment.

The goal behind their research was to identify some best practices in faculty involved recruitment. Before their efforts, their two graduate programs had flat enrollments for several years.
  1. Streamline internal processes: This was interesting and one I need to look into at Tarleton. They were finding that they would have applicants being processed for 70 some odd days, waiting for all the appropriate paperwork to arrive before granting admission into their programs. What they were finding is that students would leave, searching for other institutions due to the delays. Rather, they suggested granting conditional acceptance pending all appropriate documentation. In this way, future students would begin to identify and gain access to the university and its resources more quickly with the hope that they would cease their shopping around for other universities/programs due to the delays.
  2. They also instituted a 4+1 program whereby students could earn credit towards their undergraduate degree taking graduate courses that could then also be applied towards their graduate degree if admitted into the graduate program. Students are required to take a full load of 12 hours of graduate and undergraduate courses, maintain a 3.0 and have completed at least 60 hours toward their degree. This helps to jump start students towards their graduate degree.
  3. They send email blasts to undergraduate students twice a year by department to promote their graduate programs and twice a year to promote their 4+1 options. They also send email blasts out to graduate students to promote sequential degree options twice a year as well as to post course announcements in the LMS to promote sequential degree options. Lastly for graduate students, they post and email reminders to register for upcoming terms each term, five times per year. For undergraduate alumni, they send out emails to promote their graduate programs twice yearly. For graduate alumni, they send email blasts to promote their sequential degree options twice a year. Finally, for industry professionals, they present at regional and national conferences that highlight aspects of the graduate program (average 3 times per year), network at professional organization functions (average once per quarter), and share notable improvements and accomplishments with the graduate programs to advisory board member and scholars/practitioners (each term, 5 times per year). They also promote their graduate programs to those professional groups through email blasts twice per year and promote access to education (A2E) to build corporate partnerships.
This was a very useful session and I came away with several ideas that as department head, I would definitely try with my department. As the incoming associate dean, I will expand this to include the entire college. Oh, BTW, another idea they pitched was the need for drops to be processed in such a way that instructors had to approve the drop. In this way, instructors had the opportunity to evaluate a student's progress and help student's determine the best course of action as to whether or not to drop a course. We could do this but I would still want them to go through advising to make sure that others things that might be impacted, like financial aid, are considered as well.

Innovative Retention: Developing Faculty for Student Success by Ms. Myers and Ms. Friesen

Using the Composite Persistence Model (Ravai, 2003) as a guide, they talked about opportunities to retain students. They talked about the need to train faculty to identify opportunities to help retain students.
  • For example, they had a professor who refused to really participate in student retention activities but, that whenever a story about a student was in the paper, would cut out the article and share that article with her student. In effect, she was creating a positive result, thus, increasing student retention without her even realizing it. Once this was shared with her, she increased her efforts to increase student retention in this manner. Essentially, cheering on students for their accomplishment (in and outside of class) in front of their peers has a positive effect on retention.
  • Another way to "engage" students in to post pictures of them and faculty in class, student organizations, and other activities on the walls and on social media. This helps to create a "legacy" for students who sometimes find themselves looking for themselves in the pictures.
  • Help students understand the jargon/language of the discipline. Things like LIFO/FIFO, SWOT, Elevator Speech, etc. Help them understand the language of their discipline early on so they do not get lost and out of place as they advance.
  • Treat your LMS as a gathering place. Hold virtual office hours and include synchronous session to help increase student engagement. Give an assignment where students must come by your office to chat for a bit. This helps to reduce their anxiety about coming to see their instructors.
  • One of the most interesting things I heard came as kind of an afterthought discussion between the presenters and audience. Periodically, faculty miss a class for whatever reason. One of the deans stated that they were going to use that as an opportunity to engage students in terms of talking to them about the resources they have on campus for studying, help with financial aid, issues with instructors, etc. I see this as a real gold mine and I think, given some forethought, could allow me to engage students in the college and help put a face on the administration and help students gain more perspective into the college, its processes, and hopefully, make them feel like more of the process themselves. I could ask them for example, what they like about the teaching styles, courses they like/don't like, what they wish were offered, etc. I could use it as an opportunity to discuss the importance of participating in student organizations, career services, etc. 

Aspiring Dean's Dinner

This was pretty good. Perhaps not as detailed as I would want but I definitely came away with a few nuggets. I was aware that the dean's role has been changing and is largely external and has a fund-raising component to it now. Turns out that really depends on the institution. But, if fund raising is in the job description, attend the CASE Conference. They evidently do all kinds of training on fund raising. Another important aspect is creating boards for funds raising and obtaining guidance. They recommended AACSB training for this which I thought was interesting. Overall, it was a good, enlightening dinner.

The Impact of Systematic Processes: Their Role in ACBSP Accreditation by 

This one was pretty interesting. Unfortunately, due to demand, we moved rooms which set the presentation back and then, due to technical difficulties, it was delayed even further. But, once it got going, it was quite interesting. They discussed taking the Baldridge approach to improving their accreditation processes. Then, they start to go through the new ACBSP standards. They overlap considerably with AACSB, though certainly, specific are different. Unfortunately, I had to leave before they were finished in order to attend the next even...which turned out to be a bust.

To be honest, then I attended several sessions that day that really did not pan out. They were focused on community colleges or were focused on other issues that simply do not impact my institution. The following day however, had several good sessions again though.

Student Retention: Strategies that Work in the College Setting by Dr. Augustine A Boakye

Student attrition might be high due to:

  • Inadequate orientation
  • Poor curriculum development
  • Implementation of assessments
  • Poor advisement and guidance
  • Inadequate preparation and low self-motivation
  • Personal tragedies such as health, death in family, etc.
  • Work related issues
  • Too much workload
  • Financial problems
  • Fear of failing
  • Dissatisfaction with professor's approach
Faculty are the first line of defense in student retention. He advocated for what he called the EES Progressive Retention Model:
  • Encourage from Day 1
  • Engage students both in and outside of class regularly
  • Show students you care through email when they have issues
He stressed that it was important that instructors agree and promote the mission to retain students. He also argued for hiring a participation, retention, and completion coordinator. Make sure students have access to textbooks from day 1. Finally, he stressed that administrators such as chairs, assistant/associate deans, and dean periodically visit classrooms to put a face on the administration for students and help ease any anxiety they might have regarding administrators.

Student Recruitment, Retention, and Reward: Sharing Best Practices by Dr. Cooper

There is an employee life cycle which also applies to students:

  1. Attraction
  2. Recruitment
  3. Onboarding
  4. Development
  5. Retention
  6. Separation
We need to practice the four E's:
  • Engagement
  • Experiment (challenge)
  • Enthusiasm/Energy (Passion)
  • Empowerment
Recruitment:
  • Faculty/Student Interactions: Emails, Listening, Mentorship
  • Retention: Classroom Management, List objectives and Check Off as Complete, Clear Course Expectations, Vary teaching techniques
  • Reward: Grades, Feedback, Inclusion, Incentive, Job Applications

Recruiting, Retaining, and Mentoring MBA Learners with Customized Skill Development by Dr. Craig Lien

According to the World Economic Forum, the top "skills' organizations are desiring from students are not some of those "hard skills" that are so often taught. Rather, they are:



Five Keys to Successful Student Retention in the Online Environment by Dr. Tony Lyons and Dr. Natalie Walker of Colorado Technical Institute

This was one of the best sessions I attended. They broke their strategy up into five facets:
  • Engaging Faculty: Emotional intelligence, Reaching out to failing students, High levels of student "touch" points

  • Electrifying Technologies: Adaptive Technology (CCKF Adaptive Learning, McGraw Hill, Pearson, etc), mobile aps, mobile ready, faculty/student texting

  • Innovative Curriculum and Learning Strategies

  • Just-In-Time Student "touch": Coach students up and use in-class surveys to identify students needs during the semester rather than waiting until the end.

  • Informative Metrics: Early alerts. This was a big one for me. Blackboard has some of these capabilities already built in. I simply have not mastered them...yet. I am very proficient when it comes to technology in general and really, pretty much so with Blackboard specifically. This is just not an area that I have place much emphases on just yet. Looks like it is time to do so.
Another point that I thought was interesting was the suggestion of scheduling early courses with the very best, most personable, engaging faculty to help attract and engage students. Schedule the tougher professors for more advanced courses where students will have much more invested in their programs and thus, will be more motivated to perform, despite the difficulties of the content in advanced classes.

From Information to Immesion: Bringing the MBA to Life in the Recruiting Process by Dr. Wieser, Fittipalli, and Thomas

Use a blog to incorporate success stories about faculty and students. Include stories about why students pursue their degree, graduate life, career development, capstone experiences, as well as faculty topics. Promote these through your social media channels such as Facebook, Twitter, etc. Get students involved in order to do and create content. For me personally, I am think graduate assistant, student assistant, intern, etc to help me do this.

Allow students to "sample" classes. They allow prospective students to attend a class or two and actually participate during group activities. They:
  1. Advertise the sampel classes and require that prospects register so the know who, when, and where they will have prospects in their class(es)
  2. They follow up sample class with emails and/or phone calls.
  3. They offer 2-4 sample classes per semester
80% of those who attend a sample class end up enrolling in their program. Consider creating a sampel Blackboard shell for prospective students.










That was about it. On the whole it was not bad. It was pretty spotty. Some sessions really were not that great while others were spot on, well done, and relevant. Perhaps most important was not so much this specific conference but rather, the spirit of self-reflection with an eye on continuous improvement. That was a clear message here and one that I took to heart.

Saturday, September 30, 2017

Research: Pre-Employment Screening for Security Risk: An Exploratory Study


Schuessler, J., Hite, D. (2014). Pre-Employment Screening for Security Risk: An Exploratory Study. Journal of Applied Business and Economics (16% Acceptance Rate); (C ABDC Ranking), 16(1), 84-95. www.na-businesspress.com/jabeopen.html


As a researcher, I have always been interested in this idea of security posture. Additionally, with the idea that insider threats represent a unique threat to organizations, it occurred to me that a study examining the security posture of potential hires might be of value to organizations. So, I decided to survey students based on common employment tests such as personality and ethics tests to examine how they might relate to the strength of passwords of those individuals. The idea was that if such tests could yield some useful insight into the personal computer security posture, that organizations could gain additional insightful information regarding potential hires without requiring any additional effort. Additionally, such information could be potentially used by organizations by identifying individuals who might require additional security training if they are offered a job.

My co-author and I surveyed 122 undergraduate and graduate students, mostly business majors. Respondents answered the big five personality test as well as a work ethic instrument by Miller, Woehr, and Hudspeth (2001). As the dependent variable, we had students enter a password from one of their banking institutions into a Microsoft password checker that determines the strength of your password based on a four point scale.

Three of the dimensions of personality were found to be related to the strength of password: agreeableness, extroversion, and neuroticism. Only one dimension of the work ethic construct was found to be related to the strength of password: delay of gratification. But, the important thing to take away from this research is that since organizations already use these kinds of tests when making employment decisions, these results can be used by them to gain additional insight regarding the security training that potential hires might need.

At the time of this writing, I am completing a follow up study that includes a larger sample and a more complete dependent variable based on the security posture of an individual as well as including additional tests such as an integrity test as well as cognitive ability, other tests that organizations use when making employment decisions. So, if you are in the hunt for a job and taking an employment test, recognize that the organization may be able to glean additional information from that employment test than just your personality!

Monday, August 28, 2017

Research: Data Breach Laws: Do They Work?

Schuessler, J. H., Nagy, D, Fulk, H. K., & Dearing, A. (2017). Data Breach Laws: Do They Work? Journal Of Applied Security Research, 12(3), 84.

I've got a data breach paper coming out in October in the Journal of Applied Security Research that argues for the passage of federal legislation to combat data breaches. I say "combat" but that is really a misnomer. See, "combat" makes it sound like we can take the fight to the bad guys and make them pay for breaking into organizations, stealing personal information, and selling it on the dark web. Unfortunately, it is not that easy. Neither is the passage of federal legislation that governs how those who have been breached should deal with the situation publicly.

Now, I tend to have a rather wide libertarian streak in me. As a result, I do not make light of calling for federal legislation. But, we have to look at the facts. What are the goals behind the creation of data breach legislation in the first place? It is not to stop or otherwise limit the occurrence of data breaches. Nearly every state in the U.S has passed data breach laws. Only Alabama, New Mexico, and South Dakota do not have such laws (National Conference of State Legislatures, nd). So, if such laws were working to reduce breaches, we would not being seeing the seemingly geometric rise in breaches that actually are occurring. In fact, my analysis showed that there were an average of 5.07 data breaches per year in states that would eventually pass data breach legislation and an average of 9.21 breaches per year in those same states after the passage of such legislation.

Table 1. Annual Breaches by Industry.


2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Business
25
67
130
237
202
274
177
162
195
258
Educational
75
80
111
131
78
65
57
63
54
57
Government/Military
21
99
110
110
90
104
54
55
60
92
Health/Medical
16
44
63
99
70
165
102
167
271
333
Financial/Credit
20
31
32
79
58
54
31
24
34
43
Total
157
321
446
656
498
662
421
471
614
783

So, no, data breach laws are not designed to reduce the number of data breaches. Rather, data breach laws are designed to facilitate informing consumers that their data has been breached and taking measures to protect their private and financial information as opposed to protecting the information systems that were originally compromised in the first place. Such laws typically include an element that requires notification to the consumer in certain situations such as a breach in which their name and social security number are not encrypted and somehow compromised. When that happens, consumer are notified and can take action to protect themselves such as monitoring the financial transactions, signing up for credit monitoring services, etc. It's not really about fixing the problem itself but rather, more about applying a band-aid after the fact.

Table 2. Relevant State and Territory Statutes.
State
Citation
State
Citation
Alaska
Alaska Stat. § 45.48.010 et seq.
Nevada
Nev. Rev. Stat. §§ 603A.010 et seq.242.183
Arizona
Ariz. Rev. Stat. § 44-7501
New Hampshire
N.H. Rev. Stat. §§ 359-C:19-C:20-C:21189:66
Arkansas
Ark. Code § 4-110-101 et seq.
New Jersey
N.J. Stat. § 56:8-161, -163
California
Cal. Civ. Code §§ 1798.291798.80 et seq.
New York
Colorado
Colo. Rev. Stat. § 6-1-716
North Carolina
N.C. Gen. Stat §§ 75-6175-65
Connecticut
North Dakota
N.D. Cent. Code §§ 51-30-01 et seq.51-59-34(4)(d)
Delaware
Ohio
Ohio Rev. Code §§ 1347.121349.191349.1911349.192
Florida
Fla. Stat. §§ 501.171282.0041282.318(2)(i) 
Oklahoma
Okla. Stat. §§ 74-3113.1, 24-161 to -166
Georgia
Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Oregon
Hawaii
Haw. Rev. Stat. § 487N-1 et seq.
Pennsylvania
73 Pa. Stat. § 2301 et seq.
Idaho
Idaho Stat. §§ 28-51-104 to -107
Rhode Island
Illinois
815 ILCS §§ 530/1 to 530/25
South Carolina
S.C. Code § 39-1-902013 H.B. 3248
Indiana
Ind. Code §§ 4-1-11 et seq.24-4.9 et seq.
Tennessee
Tenn. Code § 47-18-2107; § 8-4-119 (2015 S.B. 416, Chap. 42)
Iowa
Iowa Code §§ 715C.1, 715C.2
Texas
Tex. Bus. & Com. Code §§ 521.002521.053; Tex. Ed. Code § 37.007(b)(5); Tex. Pen. Code § 33.02
Kansas
Kan. Stat. § 50-7a01 et seq. 
Utah
Utah Code §§ 13-44-101 et seq.; § 53A-13-301(6)
Kentucky
Vermont
Vt. Stat. tit. 9 § 2430, 2435
Louisiana
La. Rev. Stat. §§ 51:3071 et seq.40:1300.111 to .116
Virginia
Va. Code § 18.2-186.6, § 32.1-127.1:05, § 22.1-20.2
Maine
Me. Rev. Stat. tit. 10 § 1347 et seq.
Washington
Maryland
Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
West Virginia
W.V. Code §§ 46A-2A-101 et seq.
Massachusetts
Mass. Gen. Laws § 93H-1 et seq.
Wisconsin
Wis. Stat. § 134.98
Michigan
Mich. Comp. Laws §§ 445.63445.72
Wyoming
Wyo. Stat. § 40-12-501 et seq.
Minnesota
Minn. Stat. §§ 325E.61325E.64
District of Columbia
D.C. Code § 28- 3851 et seq.
Mississippi
Miss. Code § 75-24-29
Guam
Missouri
Mo. Rev. Stat. § 407.1500
Puerto Rico
10 Laws of Puerto Rico § 4051 et seq.
Montana
Virgin Islands
V.I. Code tit. 14, § 2208
Nebraska
Neb. Rev. Stat. §§ 87-801-802-803-804-805-806-807



"So, if that is the case, why aren't state laws fine?" Well, I'll tell you why. They cost us more money. In a paper by Hovav and Gray (2014), they looked at the effect of the TJMaxx breach on various stakeholders. Their identification of stakeholders was pretty exhaustive and even included the intruders themselves. The end result of their analysis was that in the long run, TJX, the parent company, the company was just fine. Initially, stock prices tanked but as damage estimates were revised down, class-action law suits dismissed, and settlement with Visa, their stock value actually increased. Similar results for the Target breach can be found. So, there's no real market force in the long run that encourages organizations to protect the data of their customers. As long as they can weather the storm, they will come out of the other side, stronger than they were before knowledge of the breach occurred.

Table 3. Statistical Significance Before and After Enactment of Data Breach Laws.
Before Law Implemented
After Law Implemented
Average
5.07
9.21
Variance
103.1
93.5
P(T <= t) Two-tail
.041










Now, this is not to say that breaches are "good" for companies. There are real dollar values associated with a data breach. According to the Ponemon Institute (2014), the average cost of a data breach in 2014 was $5.85 million. That's $201 per record compromised. Those costs are even higher in healthcare. In light my the data from my student in which businesses and health/medical reported more breaches after data breach laws were enacted, that is a deadly combination. But, where do those costs come from? Costs come from the need to hire forensics experts, hotline support, notifications, providing credit monitoring subscriptions, etc.

Table 4. Effect of Data Breach Laws on Industry.

Before Law Implemented
After Law Implemented
p-value
.05
Business
1.21
4.19
.03
Education
1.65
1.51
.72
Government/
Military
1.24
1.60
.36
Health/
Medical
.66
3.06
.00
Financial/
Credit
.61
.82
.57












Table 5. Relationship between annual health care costs nationally and the number of data breaches occurring in the health care industry.
2005
2006
2007
2008
2009
2010
2011
2012
2013
Total National Health Expenditures (in billions)
2,035
2,167
2,304
2,414
2,506
2,604
2,705
2,817
2,919
Number of Healthcare Data Breaches
16
43
60
97
64
155
76
158
162













So, this brings us back to the issue at hand; what is the goal behind data breach legislation? Let's refine that question just a bit. What is the goal behind federal data breach legislation? If it is not to curtail the occurrence of data breaches and it is not to encourage organizations to do a better job of protecting their customer's information, then what is it?

I would argue that it is about streamlining the compliance issue. Part of the reason the cost per record is so high is that organizations that operate across state lines have up to 47 different jurisdictions to potentially comply with (assuming they do business in each state with breach laws on the books). This makes compliance a significant issue. A federal law that establishes a baseline for reporting requirements and defining what constitutes a data breach is needed. It will help to reduce the costs associated with complying with various state's current laws by allowing organizations to more simply comply with a single federal law.

References
Gross, G. Lawmakers push for federal data breach notification law. PCWorld. 2013. Available at: http://www.pcworld.com/article/2044673/lawmakers-push-for-federal-data-beach-notification-law.html. Accessed March 20, 2017.

Anthony, J. H., Choi, W., & Grabski, S. (2006). Market reaction to e-commerce impairments evidenced by website outages. International Journal of Accounting Information Systems, 7(2), 60-78. doi:10.1016/j.accinf.2005.10.002

Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004). The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9(1), 69.

Centers for Medicaid & Medicare Services. (2015) Retrieved 5/27/2015 https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/NationalHealthExpendData/Downloads/Tables.zip

Clarke, R. (1994). Human identification in information systems: Management challenges and public policy issues. Information Technology & People, 7(4), 6-37.

Hardekopf, B. (2014, March 22). This Week In Credit Card News: Data Breaches At Supermarkets, Hospitals And UPS; Fighting Card Theft. Retrieved fromhttp://www.forbes.com/sites/moneybuilder/2014/08/22/this-week-in-credit-card-news-data-breaches-at-supermarkets-hospitals-and-ups-fighting-card-theft/

Hovav, A. P., & Gray, P. (2014). The Ripple Effect of an Information Security Breach Event: A Stakeholder Analysis. Communications of The Association For Information Systems, 34(50), 893-912.

Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. http://wwwreuterscom. 2017. Available at: http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. Accessed March 20, 2017.

Identity Theft Resource Center. Retrieved from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

Joerling, J. (2010). Data breach notification laws: an argument for a comprehensive federal law to protect consumer data. Washington University Journal Of Law & Policy, 467.

Millman J. Health care data breaches have hit 30M patients and counting. Washington Post. 2014. Available at: https://www.washingtonpost.com/news/wonk/wp/2014/08/19/health-care-data-breaches-have-hit-30m-patients-and-counting/?utm_term=.c850a7e6b8b1. Accessed March 20, 2017.

National Conference of State Legislatures. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Accessed March 20, 2017.

Phelps, J., Nowak, G., & Ferrell, E. (2000). Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy & Marketing, 19(1), 27-41.
Ponemon Institute. (2014). 2014 Cost of Data Breach Study: United States

Ring, L. S. (2016, May 31). Is a Federal Data Breach Law in the Cards This Year? Retrieved May 23, 201 Ring, L. S. (2016, May 31). Is a Federal Data Breach Law in the Cards This Year? Retrieved May 23, 2017, from http://www.focusdatasolutions.com/techpol/is-a-federal-data-breach-law-in-the-cards-this-year7, from http://www.focusdatasolutions.com/techpol/is-a-federal-data-breach-law-in-the-cards-this-year

Schuessler, J. H. (2010). General deterrence theory: Assessing information systems security effectiveness in large versus small businesses. Dissertation Abstracts International Section A, 70, 3681.

Schuessler, J. H., Windsor, J., & Wu, Y. (2014). System Security Effectiveness in Large Versus Small Businesses. Journal of Information System Security, 10(1), 3-40.

Sherman, E. (2014, August 28). Why $250M didn’t protect J.P. Morgan from hackers. Retrieved from http://www.cbsnews.com/news/why-250m-didnt-protect-J.P.-morgan-from-hackers/

Shultz, K. S., Hoffman, C. C., & Reiter-Palmon, R. (2005). Using archival data for I-O research: advantages, pitfalls, sources, and examples, The Industrial-Organizational Psychologist, 42(3), 31-37.

Straub, D. W., & Welke, R. J. (1998). Coping With Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), 441-469.


Thomas, L. (2014). Providing Notice After A Data Breach: 10 Steps To Take. Law360. Retrieved from http://www.law360.com/articles/534816/providing-notice-after-a-data-breach-10-steps-to-take