Databases and Cybersecurity: Keeping Consumer Data and Personally Identifiable Information Safe 1. Introduction The topic of my research project is Cybersecurity in Databases. This research paper will serve as an introduction to databases and how it is necessary to keep them protected using methods of cybersecurity to keep consumer data safe. The reader will be informed about the personally identifiable information of consumers that can be contained in a database, and the damage that will come to these people if a database hacker infiltrates the database and gains access to the information. The reader will also be informed of common security methods used to protect a database. All of these answers stem from responses to two specific research questions; How is consumers’ information safer in a company database protected by cybersecurity methods? How are consumers affected when their personally identifiable information is illegally obtained during a database breach? The underlying problem sought to be resolved by my research is the potential for consumers’ data to be at risk in an insecure database. Given events that have occurred during data breaches of the past; it is important to educate consumers and responsible businesses on how to keep their customers’ data safe. My research paper will aim to serve in promoting the importance of cybersecurity in databases. Specific sources or academia, scholarly articles, and news articles relevant to the research questions have been detrimental in compiling a response. 2. Literature review The literature review is divided into topics that will be important in my research paper; Understanding Database Protections, Database Infiltration Techniques, and Large-scale Database Attacks. The articles contained in this literature review were specifically chosen because of their relevance at explaining these three topics. Information about these topics will be essential in answering my research questions. Understanding Database Protections Database protections have been necessary ever since databases have existed. Methods for securing databases have been introduced into the database management industry as far back as 1996. Studies back then were being made to better understand ”security concerns, requirements and problems that arise in the pursuit of meeting these requirements for security in databases” (Baraani-Dastjerdi, Pieprzyk, Safavi-Naini, 1996). Database securities being studied and implemented in history are the beginning variables used to answer the question of how to keep consumer data safe in a database by protecting it with cybersecurity. The first part of explaining cybersecurity and how it affects database protections and keeping people’s private data safe; is providing an understanding of how to keep a database secure. We will better understand basic database security practices given the knowledge that database security is required even at the lowest level. “The information in your company’s databases are important, so it stands to reason that database security is too” (Pratt, 2014). The list of 5 important database protection methods that all businesses and organizations would be expected to implement are “secure passwords, encryption, backdoor protection, segmentation, and proper auditing” (Pratt, 2014). These methods are to be understood as the rudimentary methods to be used. In further studies of database protections, our knowledge stems from basic information to more of a detailed checklist of what to do to keep a database secure. Items in the checklist which serve to answer my research questions are “Physical Database Server Security, Firewalls for Database Servers, Administrator Accounts/Permissions/Passwords, Database Auditing, Database Backup/Recovery, and Database Encryption and Key Management” (UC Berkeley, 2020). It shows bullet points for steps necessary in providing database security following the topic. An important rule to understand for firewalls for database servers, for example, is ”The database server is located behind a firewall with default rules to deny all traffic” (UC Berkeley, 2020). Knowledge of key practices like this will be what is necessary to have fluid database security. High-level security methods must be implemented into databases on top of the rudimentary ones. “Database security encompasses three constructs: confidentiality or protection of data from unauthorized disclosure, integrity or prevention from unauthorized data access, and availability or the identification of and recovery from hardware and software errors or malicious activity resulting in the denial of data availability” (Coffin Murray, 2010) These three constructs are important to understand in answering the question of how cybersecurity methods make a database safer. Topics included within these three constructs are the concepts of “access control, application access, vulnerability, inference, and auditing mechanisms” (Coffin Murray, 2010). For a truly scientific understanding of how to keep databases safe and how to protect consumer information, higher-level security procedures such as these are to be known. Database Infiltration Techniques In understanding how to keep databases safe, it is important to understand the most common forms of database attacks and how to rectify them. For my research, this provides a perfect introduction to understanding how database infiltrations most commonly occur, and what should be done to prevent or fix it when it occurs. Usual methods of database attacks include ”cloud database configuration errors, SQL injection, weak authentication, privilege abuse, excessive privileges, inadequate logging, and weak auditing, denial of service, insecure system architecture, and inadequate backup” (Pill, 2019). These methods of infiltration are each detailed cases of how attackers gain access to a database and the damage that they can do to consumer data. The origins of data security threats are not always attributed to the actions of attackers. Perspectives on how database hackers can be given access through unexpected circumstances such as employee malfeasance are important to understand. Four major ways that data breaches occur are “External Intrusions, Employees, Lost or Stolen Devices and Documents, and Social Engineering and Fraud” (Duverge, 2016). The exploration into the effects of employee actions, lost devices or documents and social engineering or fraud; and how they provide a criminal with techniques for gaining access to company assets are key to understanding the ways that hackers can gain unexpected access into a company database. Large-scale Database attacks To understand the effects of database attacks on specific vulnerable industries will help to better understand the impact on consumers. The healthcare industry is at the greatest risk of database attacks due to the private information that their databases hold. ”Healthcare providers and their business associates must balance protecting patient privacy while delivering quality patient care and meeting the strict regulatory requirements set forth by HIPAA and other regulations, such as the EU’s General Data Protection Regulation (GDPR)” (Lord, 2018). The patient records, credit card data, social security data, and more are vulnerable if a database for a healthcare provider is hacked. This is potentially the greatest example of how consumer information is at risk resulting in database attacks. When the database for the company Adobe was hacked in 2013, it was immediately known as one of the largest database attacks in modern history. After the attack, “The software-maker said that it now believed usernames and encrypted passwords had been stolen from about 38 million of its active users.” (BBC News, 2013). Having a good analysis of how this attack occurred and how it could have been prevented will be crucial in my research. “The firm had originally said 2.9 million accounts had been affected” (BBC News, 2013). This provides an insight into how many critical customer records can be stolen during a database breach. Given access to these customers’ user IDs and passwords, hackers have access to services that the consumers paid for and have access to purchase other services on their accounts. ”In March 2017, personally identifying data of hundreds of millions of people was stolen from Equifax, one of the credit reporting agencies that assess the financial health of nearly everyone in the United States.” (Fruhlinger, 2020). This is another critical example of a large-scale database attack in recent history. A vulnerability was found in the programming of their web service that allowed hackers to gain access to their data. “The Equifax breach investigation highlighted a number of security lapses that allowed attackers to enter supposedly secure systems and exfiltrate terabytes of data” (Fruhlinger, 2020). These hundreds of millions of people and terabytes worth of data would be at less risk if the most protective methods of cybersecurity were in place. Understanding the need for the most secure databases in large companies such as this helps us to understand why consumers' data is safer in a database protected by cybersecurity. 3. Research design 3.1. Epistemology My research paradigm is positivism. Given this fact, the conclusions I usually develop in my research will generate a response on the basis of science and calculations. Here, this will be useful in explaining how cybersecurity can improve database security based on numbers. We can use a numeric variable to define the number of database attacks that occur for a company with relation to their level of cybersecurity and how many people have been affected financially by a database breach where their personally identifiable information was leaked. There could be percentages of databases which have been breached before, and percentages of databases that have never been penetrated, based on the presence or absence of cybersecurity. These examples are all relevant to the research and lean towards a positivist viewpoint. 3.2 Research question (s) and Aims The design of this research revolves around two key questions which will be sought to be answered; -How is consumers’ information safer in a company database protected by cybersecurity methods? -How are consumers affected when their personally identifiable information is illegally obtained during a database breach? With these questions in mind, I am focusing on influencing the decisions of companies and consumers, in relation to data and databases. The answers to the questions will help to convince companies of how they could be putting people at risk by not protecting their data, and convince people to want to gain more understanding of the responsibility of companies to keep their data safe. I chose to use two questions instead of just one, for specific reasons. The first question leads into the second, as a follow-up. It somewhat serves as a cause and effect analysis. Readers will gain insight into how companies can protect the data of consumers (question 1), and the consequences of data not being protected (question 2). 3.3. Research Methods From my positivist standpoint, my research methods would be quantitative. Using numeric data and categories, my research could create measurements to describe how databases and people are affected by cybersecurity. Given quantities of how many databases are infiltrated, how many people’s PII is extracted from databases, how many databases are using cybersecurity, and how many methods of cybersecurity are used by companies; are all valid quantitative research questions viable in the detailed answers of the research questions. I see quantitative research methods as the most valid to analyze data to support the argument that databases are safer with the use of cybersecurity methods and practices. 3.4. Data Collection The data will be collected mainly using surveys. Using surveys will be the most practical method of obtaining quantitative data. The survey