No one wants their data stolen. The financial loss, the headache and the insecurity that come with cyber risk are immense. And yet, so much of our lives takes place in the digital world. We execute financial transactions, share personal information and even date in cyberspace. Keeping this information safe is the crux of a branch of research at Idaho National Laboratory.
And for INL intern Lydia Speirs, formerly Lydia Greco, investigating cybersecurity issues has shown small- and large-scale implications. While her talents and interests led her to cyber research, her diverse capabilities took her on a circuitous path to get there.
Growing up in California, Speirs was involved in a high school debate team focused on constitutional law issues. She pursued this passion as an undergraduate, earning a bachelor’s degree in law and constitutional studies from Utah State University. She considered pursuing law school, but after talking to a few friends who worked in software development, she was intrigued.
“As I looked at their development projects and tried a basic coding course online, I decided web application development was something I wanted to pursue,” she said. “At first, I started learning coding languages as a hobby, but eventually I took an accredited software development course and started building web applications.”
After spending some time in the software development field, Speirs decided to pursue a Master of Business Administration. She became part of the National Information Assurance Training and Education Center (NIATEC), led by Dr. Corey Schou at Idaho State University. The program gave her the opportunity to pursue an MBA with an emphasis in cybersecurity.
Studying under Schou, Speirs developed an appreciation of why the NIATEC program started. “[Schou] saw a need for a workforce that had a solid understanding of networks and information security and also understood the workings of business operations,” Speirs said. “He saw the need for people to be able to apply the technical knowledge and communicate effectively with people involved in business.”
The NIATEC program gave her a scholarship to pursue her education, which led her toward an internship at INL.
Speirs began her INL work as a summer graduate student intern under Dr. Ron Fisher, Infrastructure Assurance & Analysis Division director and INL Resilience Optimization Center director. During her summer work, Speirs took on two cybersecurity projects. The first project focused on cybersecurity on an individual level. Working under Fisher and leading a group of high school interns, Speirs put together a risk assessment/resiliency index. The index focused on cybersecurity, emergency preparedness and general safety. Under cybersecurity, individuals could assess how at-risk they might be for a cyber event. The team sent the index to 50 INL employees to test the index and assess their own personal resiliency.
While the data about people’s resilience was interesting, the team also wanted to help people interpret the data to make meaningful change. “This project was about how we could help people become more resilient,” Speirs said. After seeing how they fared on the index, the employees could take suggestions to improve their resiliency. In short, Speirs explained that the index tells individuals, “Here is a list of things you can do to improve your personal resiliency and reduce the risks associated with cyber, general safety and emergency preparedness.” There are plans to continue this research through the INL Resiliency Optimization Center (IROC).
While Speirs’ first project focused on cybersecurity on the micro level, her second summer project looked at cybersecurity on a macro scale. We have all heard reports in the news about cyber breaches and cyberattacks. The data backs up these concerns. Cyberattacks continue to increase, and trillions of dollars are lost due to data breaches each year. That number is only expected to grow as people become more reliant on digital technologies.
To keep consumers safe, federal law requires companies to report to the Securities and Exchange Commission (SEC) when they’ve had a cybersecurity breach. Then these companies must follow up with the SEC on actions taken to ensure that customers’ data remains secure.
Working under Fisher, Speirs looked into how effective these measures seemed to be. The project stemmed from Fisher’s personal experience. “I was actually looking at investing in a company, so I was looking at their 10-K filing with the SEC. And it talked about cyber risk,” Fisher explained. “It got me wondering: How many companies address cyber risk in their financial reporting, and does the percentage of companies reporting cyber risk change by industry?”
The SEC was interested in this problem and provided a data set to analyze. A team including Speirs, Fisher, Jack Edwards, Angelica Petrovic, Celia Porod and Justin Wood (ISU) followed up on Fisher’s question and found that while there has been an increase in reporting cybersecurity risk to the SEC, the percentage of companies reporting cyber risk was still very low. Despite the SEC providing cyber risk guidelines in 2011 along with an update in 2018, the team’s research indicated that various challenges prevented many organizations from reporting cyber incidents, and delayed organizations from reporting when data breaches occurred.
Why do so few organizations report cyber incidents? “Fear of litigation, fear of damage to business reputation, and the potential for stock prices to fall,” said Speirs. On the flipside, their research also looked into what caused organizations to report: Regulation (government or industry related), education of cyber threat and cyber incident response.
Their research led them to publish a paper in February with their findings in the Journal of Cyber Security. Speirs is extending this analysis as the basis for her master’s thesis. Aside from academic interest, the research has also spurred the team to consider what changes should be made and to collaborate with the SEC and U.S. Department of Homeland Security on next steps.
It’s also created further questions moving forward. As Speirs finished her thesis, one question stood out in her mind: “What can we do to encourage companies to publicly acknowledge cyber risk and help their stakeholders take more control over their data security?”
“It’s impossible to prevent every cyberattack,” she said. “We just don’t have the capability, but I think we could do more to hold companies and agencies accountable. I think if we did hold them accountable, they would do more to ensure individual’s data was better protected and a proper amount of resources allocated to cybersecurity in their business.”
And when the summer ended, Speirs’ work continued. She maintained a role as a part-time intern as she has worked to complete her MBA. When she graduates this spring, Speirs plans to return to INL as a full-time employee in National & Homeland Security. She will bring her expertise in cybersecurity and her passion for law and justice with her to help keep everyone’s data safe.