NEWS | May 24, 2016

Why Government Organizations Don’t Care: Perverse Incentives and an Analysis of the OPM Hack

By Maj. James Twist, Capt. Matthew Hutchinson, Capt. Blake Rhoades, Ryan Gagnon

Many security experts have addressed the financial and personal security risks involved with the recent data breach at the Office of Personnel Management (OPM). This work supplements previous analyses of the event, and explores how the recently disclosed OPM breach has impacted the national security of the United States. By examining the elements of the breach - within the context of the stolen data and linkages to other data breaches - this work points to a larger offensive cyber campaign as the primary concern for U.S. leaders and policy makers. After thoroughly examining the details of the attack itself and its implications on DoD and national cybersecurity, we argue that government organizations lack appropriate incentives to secure their networks and personal data. The solution to this problem lies with organizational leaders, who must give guidance that incentivizes information security at the “tactical level.”

 

Why Government Organizations Don’t Care: Perverse Incentives and an Analysis of the OPM Hack