CHAPTER ONE - INTRODUCTION

CHAPTER ONE:
INTRODUCTION

CHAPTER ONE:

INTRODUCTION

Background

Cybersecurity breaches have been on the forefront of multiple newspapers, magazines, and other news outlets (Hodge, 2019). According to the Identity Theft Resource Center’s (ITRC) 2019 Data breach report, between 2010 and 2019, the number of cybersecurity breaches, as well as the number of personal records exposed, more than doubled. In 2018, the ITRC reported that approximately 500 million records globally were exposed to bad actors (Identity Theft Resource Center, 2020) (See Appendix A for the statistics graph).

Cnet magazine, a prominent, technology-focused news outlet for information technology professionals, stated in one of its late 2019 articles that security breaches in companies like Amazon were caused by negligence. Additionally, these breaches left millions of users’ data compromised to be bought and sold by the highest bidder of bad actors online, whom their purpose for acquiring this type of information, may lead to very undesired consequences for their victims.

The words “unsecured database” seemed to run on repeat through security journalism in 2019. Every month, another company was asking its customers to change their passwords and report any damage. Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies – in the fields of health care, hospitality, government and elsewhere – which left sensitive customer data unprotected in the open wilds of the internet, to be bought and sold by hackers who barely had to lift a finger to find it. - Cnet Magazine (Hodge, 2019)

Digital identity became the center of all the data breaches, as personal information was placed into the hands of unwanted parties and bad actors. People do not realize the severity and the effect of these data breaches, especially the post mortem of an identity theft event, until they hear it from someone first hand. Below is an article excerpt from an interview with an identity theft victim and the pains she experienced because her identity got compromised.

Example of an Identity Theft Victim

The article excerpt below is an extract from Forbes’s website titled ‘Someone Had Taken Over My Life’: An Identity Theft Victim’s Story. It illustrates the pains and suffering identity theft victims go through from the moment their identity gets compromised to the tedious cleanup process post-incident.

‘Someone Had Taken Over My Life’: An Identity Theft Victim’s Story How did you first realize you were a victim of identity theft? In February 2013, I came home after work on a Friday and received a phone call. I had gotten a call the day before as well from a major credit card company asking me to call them, and I initially thought that that was fraudulent. I thought, ‘Oh sure, I’m going to call this credit card company and talk to them about my account.’ [Sarcastically] I thought it didn’t seem legit.

They said, ‘We flagged this. We’ll deactivate the card.’ Even though there were all these flags, they still sent the credit card out to this address that was not mine. I hung up, and I thought, some lunatic has all my info. Do I call the police? Do I check my credit report? I decided, I’ll check all three of my credit reports and see what the damage is, and then I’ll follow up with the police. There was no relaxing from that point on. It’s been almost two years, and it’s still like it just happened.

I went to Equifax, Experian and Transunion, and you’re supposed to answer four security questions, which should be easy if it’s you: Which of these four addresses have you lived at? Which of these employers have you worked for? I couldn’t get to two of my reports because she had infiltrated my credit history to the point that her information overrode mine.

So then what did you do?

That weekend, I placed a fraud alert on my credit reports, and I eventually froze them. With an alert, you get calls, and the next day I got multiple calls. I would get a call from Discover: Someone just called, it sounds fraudulent, you have a flag, did you just call? No.

Like, five months ago, I ordered my credit reports, and lo and behold, there’s a medical collection agency. That one scares me more than any of them — to think she utilized my Social Security number to get medical attention. That’s a whole other realm. It’s a different animal.

How was the thief caught?

She was not a Mensa card-carrying person. She was very easy to track down. She had cable turned on at her apartment. Goods and services were mailed to her address. And when she signed up for a utility or phone, she used her name. Since it was linked to my Social Security Number, it updated it with fraudulent information. That’s why I couldn’t access my credit reports initially. They had all of her information. It even had a past employer where I never worked.

The police department built a case against her, a warrant went out for her arrest, and a neighboring community arrested her. She initially did not plead guilty. So, we had to go through the municipal court, grand jury, and the grand jury indicted her, and then pretrial and trial. She eventually did plead guilty, but since it’s a non-violent felony, she did not serve jail time. She did community service, which is all the more infuriating, because identity theft is a revenue stream for criminals, and this outcome means it’s much easier to be a criminal of identity theft than a criminal manufacturing drugs.

How have you been cleaning this up?

All companies have different ways in which they have you prove that you are who you say you are. When you are a victim of identity theft, you are put in the position of having to prove who you are to a greater extent than the criminal had to get goods and services. You’re treated like you’re trying to get out of paying for something.

One company wanted me to release the company and its affiliates, representatives’ agents and employees to contact and obtain information from all references — personal, professional, employers, public agencies, licensing authorities and educational institutions, and it goes on. Here I am, a victim of identity theft, and I have to contact my employer and where I went to school? I hold the companies just as responsible as the criminal. I think there’s a lot more due diligence they can extend at the onset. A number of companies were able to flag and say, this is identity theft, but a number of companies allowed it to happen. We hear about a hacking here a hacking there and are becoming accustomed to them. These companies can’t just throw out the latest and greatest technology and say, this is going to make things easier for you. How might this affect us negatively? Who can get access to this? The companies make transactions easier for themselves, yet I and millions of others are stuck cleaning up this mess.

The government isn’t much help either. You’re bounced around from agency to agency: If you’re an identity theft victim, here are the 400 steps you have to do.

How did this experience make you feel?

It’s the most time-consuming, upsetting, emotional event you have to go through. Somebody went in and so easily removed my information and had their information override mine on this all important, encompassing document — my credit report. You’re told from a young age to establish credit responsibility so down the road, you can make a big purchase like a vehicle or home. Meanwhile, some lunatic has barely any information about me and gets access to all these goods and services — yet I have to go fill out all these affidavits and turn in my utility bills and all my personal data to remove this fraudulent charge. The companies didn’t ask anywhere near that when they extended the credit. But now that it affects their bottom line, they turn around and make me do all this.

What advice would you have for others to prevent identity theft?

Be cautious with your information going forward. I always have been cautious, so I can’t do anything differently. Even if you do all the right things and shred things, and ask all the right questions, that won’t prevent you from being a victim. Wherever your information is held — where you file taxes, where you buy a car, go to school, get a job — they have your Social Security number. (Shin, 2014)

This article clearly highlights the severity of identity theft and the potential damage the cybersecurity breaches of personal data can cause. Thus, the motivation and purpose of this study are to listen to the voice of the people and gauge their awareness with regards to threats pertaining to their digital identity.

Statement of Purpose

Purpose

The purpose of this study was to explore people’s awareness of the risks associated with their digital identity, including their online personal data and online interaction. The goal was to develop a baseline of themes pertaining to participants’ knowledge of the risks associated with their digital identity as well as the means to help support the management of digital identity, online personal data, and online interactions.

Relevance

For this research to be relevant and interesting for people to read, there was an equal focus on practitioner and industry literature as on academic research. In his book Qualitative Research in Business Management (2013), Michael Myers highlighted the comparison between rigor and relevancy. The author stated that academic research tends to be rigorous; the more rigorous it becomes, the less relevant it is to practitioners. In this dissertation, the focus was on bridging rigor and relevance while keeping the content relevant to the reader and the current business environment (Myers, 2013).

The Motivation for the Study

The motivation for this research study was instigated by the principal investigator’s years of professional experience. The principal investigator spent more than ten years interacting with people and clients as an information technology-focused management consultant. The principal investigator recognized people’s concern of not knowing enough about their digital identity and the impacts of its risks; this concern and risk sparked the interest to conduct this study. The principal investigator found a gap in the academic literature in regards to the voice of the people. As a result of this gap, the principal investigator decided to conduct this exploratory study to investigate what people know, with the hope of understanding why they know what they know and the gaps that need to be filled, to further enhance the awareness and management practices of digital identity risks and its attributed characteristics. While conducting this study, many biases and assumptions were made that affected the process and its outcome.

Researcher Bias and Assumptions

A bias to be considered in this research study is the principal investigator’s work in the information technology industry. As a practitioner, the researcher consults with the management and C-suite executives managing the information technology (IT) and cybersecurity departments of small to large scale organizations, with more than a trillion dollars in their annual budget.

The author’s background and experience as well as the researchers’ knowledge of industry best practices and government-issued guidelines, laws, and regulations, influenced the insights that drove this study. The principal investigator leveraged publicly available information as well as the University of South Florida’s library access to resources when searching for literature about this study.

With regards to interview participants, the principal investigator relied on personal connections when he identified participants for this study, due to the quarantine imposed by the government caused by the unpredicted global COVID-19 pandemic. This quarantine caused the limitation of interviewing people via Zoom, which presumed that people had a computer and basic computer literacy to participate in this study. The unpredicted event variable and the solicitation of participants via online channels affected the outcome of this study, as research participants were comfortable with spending time online, possibly more than an average person in their age category.

Research Question

To help guide this study, the principal investigator used the following research question as a driver to keep the study focused: “What are the risk perceptions of individuals, 55 to 75- year-old with no IT background, pertaining to their digital identity?”. This study sought to explore the risks people are aware of pertaining to their digital identity, specifically, people between the age of 55 to 75, as they are close to or already retired. Therefore, any major event in their life relating to the loss of assets would be hard to recover from in a short period of time.

This research question was answered by conducting a literature review to determine what literature was published by academics and practitioners in this area. The participant interviews were used as a validating mechanism to the findings in the literature by summarizing the findings into themes that would help answer and support the proposed research question. To help establish the stage and provide a background of some topics discussed in this study, chapter two is used as a high-level guideline that helps define and contextualize some of the terminology to understand the topics discussed in this study.